Understand parameterized KQL functions
When calling KQL functions, you can provide a set of parameters. This is an important concept for building ASIM parsers as it allows you to filter the function results with dynamic values before returning results.
First, navigate to Logs in the Microsoft Sentinel workspace.
The following sample function returns all events in the Azure Activity log since a particular date and that match a particular category.
Start with the following query using hardcoded values. This verifies that the query works as expected.
AzureActivity
| where CategoryValue == "Administrative"
| where TimeGenerated > todatetime("2021/04/05 5:40:01.032 PM")
Next, replace the hardcoded values with parameter names and then save the function by selecting Save and then Save as function.
AzureActivity
| where CategoryValue == CategoryParam
| where TimeGenerated > DateParam
Enter Function name as AzureActivityByCategory Then create two parameters:
Type | Name | Default value |
---|---|---|
string | CategoryParam | "Administrative" |
datetime | DateParam |
Your screen should look like the image below:
Create a new query. Then enter:
AzureActivityByCategory("Administrative", todatetime("2021/04/05 5:40:01.032 PM"))