Forum Discussion
Filtering using watchlist on multiple fields
Hello, I am new to KQL. I am trying to use watchlists to filter out some false positives from a rule in sentinel. I can do the filtering based on one field from watchlist, but what if I need comb...
staro69 Can you combine the fields in your watchlist (as maybe a third field) and then combine the fields you need in the DeviceLogonEvents table using the extend command and then compare the new field to the 3rd field from your watchlist?
- Thanks, that can actually work!
