Forum Discussion
How do I exclude a watchlist from a query?
// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.
set query_now = datetime(2022-10-12T14:13:18.6528231Z);
DeviceProces...
There is an example at the end of this thread on a watchlist and the syntax you need https://techcommunity.microsoft.com/t5/microsoft-sentinel/sentinel-watchlist-and-kql-query/m-p/2817260