Forum Discussion
Solved
Fact tables in Log Analytics
Can i create and store a dynamic table of users in Azure Log Analytics, that i can join to in queries?
ie. I need a AdminUsers table that holds a list of our admins, and some basic information. I want to join to the AdminUsers table and grab data our of it as needed in queries.
Is this possible, how?
- https://docs.microsoft.com/en-us/azure/sentinel/watchlists would be the feature to look at. In KQL there are other options as well with the Let or Dynamic operator https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/dynamic or for an example: https://github.com/Azure/Azure-Sentinel/blob/fd750efdda4be82ce52e1bd5bbc8f1ec31485bc5/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml
4 Replies
- https://docs.microsoft.com/en-us/azure/sentinel/watchlists would be the feature to look at. In KQL there are other options as well with the Let or Dynamic operator https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/dynamic or for an example: https://github.com/Azure/Azure-Sentinel/blob/fd750efdda4be82ce52e1bd5bbc8f1ec31485bc5/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml
Clive_Watson just replying to confirm for others reading this thread that I setup Watchlists and they're exactly what I needed.
- Hello Andrew,
You can also create dynamic watchlists using Playbook and groups in Azure AD.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad/ba-p/3100184
Clive_Watson oh this is fantastic, exactly what we need. I knew that I could use let and build my own static dynamic object, but watchlists are definitely what I need.
Thanks for replying.
