How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console

The Functions capability of Log Analytics has been enhanced and its worth knowing about these changes because some of the nuances can help you in your Azure Sentinel endeavors such as Hunting and Parsing.

Take a look in your Azure Sentinel console along with the image below to get the comparison.

Changes in Functions

The first thing to know is that Functions has now been shifted to a new location. It’s now on the left-hand side in the same area as the Tables and Queries. This enables you to filter, search, and view the Functions by solution area. The solution areas in my example are Azure Sentinel, LogManagement, and Workspace functions. Additionally, this also means you can identify the Functions you use the most and mark them as Favorites to be included in the Favorites area.

The next thing to know is that you can now use the hover capability to expose some quick actions such as using the Function in the logs editor, removing the Function, but also loading the entire bit of source code into the editor so you can view (and modify) the Function.

View the code behind the Function

For example, did you know the _GetWatchlist function is as simple as…

Watchlist | where TimeGenerated < now() | where _DTItemType == 'watchlist-item' | where WatchlistAlias  == watchlistAlias | summarize hint.shufflekey=_DTItemId arg_max(_DTTimestamp, _DTItemStatus, LastUpdatedTimeUTC, SearchKey, WatchlistItem) by _DTItemId | where _DTItemStatus != 'Delete' | project-away _DTTimestamp, _DTItemStatus | evaluate bag_unpack(WatchlistItem) 

Have fun with this. I appreciate these changes and how they make it much easier to develop and maintain my Function library.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]


Leave a Reply