Forum Discussion
Filtering using watchlist on multiple fields
Hello, I am new to KQL. I am trying to use watchlists to filter out some false positives from a rule in sentinel. I can do the filtering based on one field from watchlist, but what if I need comb...
staro69 Can you combine the fields in your watchlist (as maybe a third field) and then combine the fields you need in the DeviceLogonEvents table using the extend command and then compare the new field to the 3rd field from your watchlist?
Thanks, that can actually work!