0

I am trying to create a user defined function to store as a global function. This has to accept two field parameters and spit out a table.

I managed to get it to work as an inline function.

let customFunc = (T:(Title: string)) { T | where Title has_any "value" | distinct Title }; let SE_table = SecurityEvent | where TimeGenerated > ago(1h); let x = customFunc(SE_table)

The results display the Title field from the SecurityEvent table with all unique values in the last hour. Once I save this as a global function in the GUI, I receive an error that customFunc expects a scalar value.

Tried saving customFunc as a global function using the GUI with T as a dynamic value, but no dice.

The closest I came to using a global function that takes a field value is detailed in the following article:

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/enriching-windows-security-events-with-parameterized-function/1712564

This predates creation of the GUI that permits saving functions without using PowerShell. I am able to cast T as a dynamic variable within the GUI, but the function declaration is a bit out of my league.

My end goal is to create a function that accepts two arguments, uses them to reference a watchlist and spits out a verdict.

Improve this question
2
  • Do you have access to the Azure Data Explorer Cluster? You should be able to create the function directly in the database: learn.microsoft.com/en-us/kusto/management/… Commented Mar 15 at 9:52
  • 1
    Ah, I'll look into that, thanks for the tip. Commented Mar 17 at 17:02
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.