Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist...
caitlin2250 The code looks correct, what is the error you are getting or is it just missing data? You have all the fields you require in the watchlist, right?
Hi Gary, Thanks for confirming that the code looks correct. I do not get any error. Yes it's just missing data that I am finding difficult to add on to the code. I would like for example for the Watchlist to include severs also not from the same business unit and be able to identify specific alerts from those servers also distinctively. At the moment I have only been able pull out information from servers within one business unit with this Watchlist and it does not meet the requirement, Hope I have explained it better. Thank you very much for taking the time to respond. Very much appreciated
caitlin2250 I don't see any reason why you would only get the one business unit returned. If you could paste some of the entries from your watchlist (changing the data to protect your machine names of course), it may help.
- CliveWatson
Microsoft
caitlin2250
This should work. I did note I couldn't use "Team" as a column name but "Team_" worked.
Watchlist used:or
Heartbeat | lookup kind=leftouter _GetWatchlist('UNIT') on $left.Computer == $right.SearchKey | summarize thoseInaTeam=make_set_if(Computer, isnotempty(Team_)), dcountif(Computer, isnotempty(Team_)), thoseNotInaTeam=make_set_if(Computer, isempty(Team_)), dcountif(Computer, isempty(Team_)) by Team_Team_ thoseInaTeam dcountif_Computer thoseNotInaTeam dcountif_Computer1 [] 0 ["TASARINT201201.fabrikamltd.co.uk","THAMLOCFKOM19.fabrikamltd.co.uk","TASARINT201601.fabrikamltd.co.uk","THAMLOCFKARC01.fabrikamltd.co.uk","THAMLOCPFKWVM01.fabrikamltd.co.uk","THAMLOCFKVMM19.fabrikamltd.co.uk","GENETEC201601.fabrikamltd.co.uk","RDS2019.fabrikamltd.co.uk","ATACENTER.fabrikamltd.co.uk","THAMLOCPFKWVM04.fabrikamltd.co.uk","VMRUBUNTU01","GENETEC201602.fabrikamltd.co.uk","WIN10MS-0.fabrikamltd.co.uk","WIN7.fabrikamltd.co.uk","VMW2019VM01.fabrikamltd.co.uk","powlo-signage","powloexpmegan","powloexpmeganc"] 18 DEV ["thamlocfkubu01","THAMUKSOBS01"] 2 [] 0 AKS_DEV ["aks-agentpool-40245457-vmss000009","aks-agentpool-40245457-vmss00000a"] 2 [] 0 AKS_PROD ["aks-agentpool-40245457-vmss000001","aks-agentpool-40245457-vmss000000"] 2 [] 0 PROD ["vmrcentos01"] 1 [] 0 - Hi Clive
Thank you very much for the code provided. That is very helpful indeed. I will add information need from my end to the code and feedback. Much appreciated
