Forum Discussion

akshay250692's avatar
akshay250692
Copper Contributor
Mar 22, 2023

call all watchlist column entity in incident.

We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 c...
KQL
GBushey's avatar
GBushey
Former Employee
Mar 23, 2023
You will not be able to have anything in the incident that is not part of the analytic rule unless you add it as a comment later. I would suggest having all that information added as entities (or at least one entity that is a JSON array) so you can access it in the Incident itself.
  • akshay250692's avatar
    akshay250692
    Copper Contributor
    Mar 28, 2023

    GBushey 

     

    This is below query .

     

    let Watchlist = (_GetWatchlist('xyz')
    | project SearchKey);
    DeviceNetworkEvents
    | where LocalIP in (Watchlist) or RemoteIP in (Watchlist)

     

    below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.

     

    • GBushey's avatar
      GBushey
      Former Employee
      Mar 28, 2023
      Get rid of the "project" statement if you want to see all the columns. The "project" statement will only show those columns that are included as part of the statement ("SearchKey" in this case)
      • akshay250692's avatar
        akshay250692
        Copper Contributor
        Mar 28, 2023

        GBushey 

         

        I am getting below error.

         

Resources