I am trying to create a user defined function to store as a global function. This has to accept two field parameters and spit out a table.

I managed to get it to work as an inline function.

let customFunc = (T:(Title: string)) { 
  T | where Title has_any "value"
    | distinct Title
};
let SE_table = SecurityEvent | where TimeGenerated > ago(1h);
let x        = customFunc(SE_table)

The results display the Title field from the SecurityEvent table with all unique values in the last hour. Once I save this as a global function in the GUI, I receive an error that customFunc expects a scalar value.

Tried saving customFunc as a global function using the GUI with T as a dynamic value, but no dice.

The closest I came to using a global function that takes a field value is detailed in the following article:

This predates creation of the GUI that permits saving functions without using PowerShell. I am able to cast T as a dynamic variable within the GUI, but the function declaration is a bit out of my league.

My end goal is to create a function that accepts two arguments, uses them to reference a watchlist and spits out a verdict.