Forum Discussion

GRaven13's avatar
GRaven13
Copper Contributor
Oct 13, 2022

How do I exclude a watchlist from a query?

 

 

 

// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.
set query_now = datetime(2022-10-12T14:13:18.6528231Z);
DeviceProcessEvents
| where InitiatingProcessFileName in~("cmd.exe", "explorer.exe", "powershell.exe")
| where ProcessCommandLine has_any ("arp", "whoami", "netstat", "nslookup")
| sort by TimeGenerated desc

 

 

 

If I want to exlude some accounts in a watchlist, how to edit KQL

Resources