Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist...
Hi Caitlin
Just thinking out loud here:
Could it be possible that the computers in your watchlist are lowercase and in the logs are uppercase (or a mix). And there for now having a match and not showing the data.
Could a tolower() be a solution when setting up the join?
Just thinking out loud here:
Could it be possible that the computers in your watchlist are lowercase and in the logs are uppercase (or a mix). And there for now having a match and not showing the data.
Could a tolower() be a solution when setting up the join?
Hello Louis,
Thank you for the suggestion regarding case insensitive. I am afraid I am new to KQL so how do I incorporate that in this query below
Heartbeat
| lookup kind=leftouter _GetWatchlist('DEV1')
on $left.Computer == $right.SearchKey
| project UNIT, Computer
Will really appreciate you help with it. Look forward to hearing from you.
Thanks
Caitlin
Thank you for the suggestion regarding case insensitive. I am afraid I am new to KQL so how do I incorporate that in this query below
Heartbeat
| lookup kind=leftouter _GetWatchlist('DEV1')
on $left.Computer == $right.SearchKey
| project UNIT, Computer
Will really appreciate you help with it. Look forward to hearing from you.
Thanks
Caitlin