Forum Discussion
akshay250692
Brass Contributor
This is below query .
let Watchlist = (_GetWatchlist('xyz')
| project SearchKey);
DeviceNetworkEvents
| where LocalIP in (Watchlist) or RemoteIP in (Watchlist)
below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.
GBushey
Mar 28, 2023Microsoft
Get rid of the "project" statement if you want to see all the columns. The "project" statement will only show those columns that are included as part of the statement ("SearchKey" in this case)
- akshay250692Mar 28, 2023Brass Contributor
- GBusheyMar 28, 2023MicrosoftThey way you have your code written, it is looking for "SearchKey" as part of the "DeviceNetworkEvents" table rather than the watchlist. You would need to do a join or a union to have that field show up in your results.