Forum Discussion
How to use a watchlist instead of a dynamic list
Hi,
Just starting to look at watchlists and was wondering how to use instead of the following:
let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]);
let IPlist = _GetWatchlist('IPWL')
Regards,
Tim
tipper1510 To use a watchlist, you need to have the values in a text file like a CSV file. You then upload that file into the Watchlist. You will be asked for a Name, Description, and an alias. You use the alias in the commands that CliveWatson posted and then you can use it just like any other table. The link he posted is very useful as well.
You can think of this as a way to replace a lot of the externdata calls.
- CliveWatson
Microsoft
You can use it in many ways, perhaps like this?
// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs // _GetWatchlist('Confidential-Access') | join ( SigninLogs | summarize arg_max(TimeGenerated,*) by UserPrincipalName ) on $left.User == $right.UserPrincipalNameor
// Use watchlist like a Table let conf_ = _GetWatchlist('Confidential-Access'); conf_ | count// Use watchlist like a Table let conf_ = _GetWatchlist('Confidential-Access'); conf_ | where User startswith "megan"Many thanks for your reply.
Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.
Regards,
Tim
tipper1510 One of CliveWatson's replies had a listing for using a watchlist with another table using a JOIN. That is what would work in this case.
