cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Watchlist file name as a function parameter

abon13
Occasional Contributor

‎Oct 06 2022 11:16 PM

‎Oct 06 2022 11:16 PM

Watchlist file name as a function parameter

Hi, I am writing a main function that calls out sub functions as per IoC's stored in the watchlist.  Currently I have the watchlist file name in every sub-functions and was hoping if I can avoid these in such a way that we just call the main function with the file name as a parameter and this will in turn provide the watchlist file to the subfunctions too.

 

If you look at the first line of the below two sub functions, you will see I have the watchlist filename hardcoded there

 

 

IPsearch()
let watchlist_ip=(_GetWatchlist('TestWatchlist')| where Type == 'IP_Address'| project SearchKey);
let Office_Okta = (OfficeActivity
| union Okta_CL
| where TimeGenerated >= ago(1d)
| where ClientIP in (watchlist_ip) or client_ipAddress_s in (watchlist_ip)
| project TimeGenerated,  ClientIP, UserId

 

 

 

 

 

URLsearch()
let watchlist_search_url=(_GetWatchlist('TestWatchlist')| where Type == 'CMD_Process_File'| project SearchKey);
let Office=( OfficeActivity
|union NetworkFw
| where TimeGenerated >= ago(Time)
.
.
.
.);

 

 

 

Here is the current main function without watchlist file as a parameter

 

 

Main()

Ipsearch()
|union UrlSearch()

 

 

 

 

My plan is something like I only execute Main(WathclistFileName) to get the results. How do I do this ?

 

 

Main(WatchlistFileName)

IpSearch(filename_provided_in_the_main)
| union UrlSearch(filename_provided_in_the_main)

 

 

 

 

Labels:
606 Views
0 Likes
4 Replies
Reply
4 Replies
Clive_Watson

‎Oct 07 2022 01:22 AM

‎Oct 07 2022 01:22 AM

Re: Watchlist file name as a function parameter

Materialize could help here https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/materializefunction but I've not tried it in a function like you describe.

This example is close to what you ask:

To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.

Kusto

let materializedData = materialize(Table
| where Timestamp > ago(1d));
union (materializedData
| where Text !has "somestring"
| summarize dcount(Resource1)), (materializedData
| where Text !has "somestring"
| summarize dcount(Resource2))
0 Likes
Reply
abon13

‎Oct 10 2022 05:31 AM

‎Oct 10 2022 05:31 AM

Re: Watchlist file name as a function parameter

Would you be able to elaborate how i can use materialize for this use case ?

I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.
0 Likes
Reply
best response confirmed by abon13 (Occasional Contributor)
Clive_Watson

‎Oct 10 2022 07:58 AM

‎Oct 10 2022 07:58 AM

Solution

Re: Watchlist file name as a function parameter

@abon13 

 

So for example, I have a Watchlist with 7 rows of IP Addresses.  I use materialize to cache the data with a let() to the name wList

let wList = materialize ( _GetWatchlist('ipa') );
union 
(
wList
| where SearchKey !startswith "188"
| count
),
(
wList
| where SearchKey startswith "188"
| count
)

As you can see (in this very brief example) I call wList twice but ask for different data each time  

Clive_Watson_0-1665413717260.png

 

0 Likes
Reply
abon13

‎Oct 12 2022 07:06 AM

‎Oct 12 2022 07:06 AM

Re: Watchlist file name as a function parameter

thank you
0 Likes
Reply