Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist...
Hi Luis thanks for the reply, maybe I wasn’t with my explanation
I need assistance in developing a KQL query that would add the extra property for Heartbeats.
The additional property would be the Team that manages the VM.
Let's say I have 100 VMs managed by five teams.
When I run the Heartbeat KQL query, I would like to see the team or business unit name that manages the VM.
My approach is to use a Watchlist with two columns. One column would be the Computer, and another column would be the name of the Team or business unit that owns the VM. So I would have five teams in the column Team or business unit and the list of computers assigned to each Team or business unit.
The Computer will be a search key.
The query I am planning to use is
Heartbeat
| lookup kind=leftouter _GetWatchlist('UNIT')
on $left.Computer == $right.SearchKey
After the query is complete, I would like to save it as a function.
Is it the right approach, or you could suggest something better?
Many Thanks
Caitlin
I need assistance in developing a KQL query that would add the extra property for Heartbeats.
The additional property would be the Team that manages the VM.
Let's say I have 100 VMs managed by five teams.
When I run the Heartbeat KQL query, I would like to see the team or business unit name that manages the VM.
My approach is to use a Watchlist with two columns. One column would be the Computer, and another column would be the name of the Team or business unit that owns the VM. So I would have five teams in the column Team or business unit and the list of computers assigned to each Team or business unit.
The Computer will be a search key.
The query I am planning to use is
Heartbeat
| lookup kind=leftouter _GetWatchlist('UNIT')
on $left.Computer == $right.SearchKey
After the query is complete, I would like to save it as a function.
Is it the right approach, or you could suggest something better?
Many Thanks
Caitlin
caitlin2250 Your code looks correct. If you want to save it as a function, you can easily do that through the Logs UI. There is no parameter (aka filter) so you will get the full list each time if that is your intention. Otherwise it looks like it will work just fine.
I would think about LouisMastelinck comment about case sensitivity though. Granted using "=~" takes more processing so I would double check all the entries in the Heartbeat table to make sure they are in the case you are expecting.