Forum Discussion

Brass Contributor

Oct 08, 2020

How to use a watchlist instead of a dynamic list

Hi, Just starting to look at watchlists and was wondering how to use instead of the following: let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.9...

CliveWatson

Former Employee

Oct 09, 2020

tipper1510

You can use it in many ways, perhaps like this?

// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs
//
_GetWatchlist('Confidential-Access')
| join 
(
    SigninLogs 
    | summarize arg_max(TimeGenerated,*) by  UserPrincipalName
) on $left.User == $right.UserPrincipalName

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| count

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| where User startswith "megan"

tipper1510

Brass Contributor

Oct 09, 2020

CliveWatson

Many thanks for your reply.

Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.

Regards,

Tim

GaryBushey
Bronze Contributor
Oct 10, 2020
tipper1510 One of CliveWatson's replies had a listing for using a watchlist with another table using a JOIN. That is what would work in this case.
- CliveWatson
  Former Employee
  Oct 13, 2020
  Also see https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-watchlist-is-now-in-public-preview/ba-p/1765887