Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist...
Hello Louis,
Thank you for the suggestion regarding case insensitive. I am afraid I am new to KQL so how do I incorporate that in this query below
Heartbeat
| lookup kind=leftouter _GetWatchlist('DEV1')
on $left.Computer == $right.SearchKey
| project UNIT, Computer
Will really appreciate you help with it. Look forward to hearing from you.
Thanks
Caitlin
Thank you for the suggestion regarding case insensitive. I am afraid I am new to KQL so how do I incorporate that in this query below
Heartbeat
| lookup kind=leftouter _GetWatchlist('DEV1')
on $left.Computer == $right.SearchKey
| project UNIT, Computer
Will really appreciate you help with it. Look forward to hearing from you.
Thanks
Caitlin
Hello Luis. Your example works for me for my requirement due to simplicity but can you please explain what each line of code does so that I can have a clear understanding of it. Look forward to hearing from you. Thanks Caitlin
Hi caitlin2250
I don't have your dataset but I was thinking something like this:
Heartbeat
| extend ComputerUpper = toupper (Computer)
| lookup kind=leftouter _GetWatchlist('DEV1')
on tolower($left.ComputerUpper) == tolower($right.SearchKey)
| project UNIT, ComputerUpperGive it a try if it will accept this in your syntax.
- Thank you very much for the prompt response Louis. Can you please explain what each line of code does because if I present it to our SOC team they would ask me to explain what each line of code does as we are all new to Sentinel so I would really appreciate your help with it.
Thank you so much
Caitlin
