Forum Discussion
How can I feed a Sentinel watchlist into a union?
Hey all, So, I'm building out a query that will alert me if any of our listed critical Log Analytic tables "goes quiet" which has happened recently. My first version had a static list of LA ...
Returning a "union_arg0" when running this KQL
Use the Usage Table as the source rather than a Union * and list the Distinct DataTypes (which are the table names)
Usage
| distinct DataType
or
let watchlist = dynamic(["Operation","AuditLogs"]);
Usage
| where DataType in (watchlist)
| distinct DataType
Usage
| distinct DataType
or
let watchlist = dynamic(["Operation","AuditLogs"]);
Usage
| where DataType in (watchlist)
| distinct DataType
Fantastic Clive_Watson!
I knew I had the Usage table but never actually used or looked at it.
I now have this which I think will do the job, alerting me of any tables in my Watchlist that have gone quiet.
This uses very little processing compared to my initial idea.
Many thanks!!
Dan