Filtering using watchlist on multiple fields

Question

Hello,&nbsp;I am new to KQL. I am trying to use watchlists to filter out some false positives from a rule in sentinel. I can do the filtering based on one field from watchlist, but what if I need combination of both?&nbsp;When filtering based on one condition:DeviceLogonEvents
| where AccountName !in~ ((_GetWatchlist('npa_test') | project AccountName))&nbsp;What if I want to use combination of DeviceName and AccountName from the watchlist? Any help much appreciated!

garybushey · Answer

staro69&nbsp;Can you combine the fields in your watchlist (as maybe a third field) and then combine the fields you need in the DeviceLogonEvents table using the extend command and then compare the new field to the 3rd field from your watchlist?&nbsp;

staro69 · Answer

Thanks, that can actually work!

Forum Discussion

Filtering using watchlist on multiple fields

2 Replies