Forum Discussion

LeenoldTN's avatar
LeenoldTN
Copper Contributor
Feb 18, 2023

KQL: Closing an incident if the events do not include entries in a Watchlist

Good day all.  I want to automatically close an incident if the events do not include entries in a watchlist.  I have another playbook that looks at entities and matches them with the entries...
automation
KQL
siem
soar
gcorsini's avatar
gcorsini
Copper Contributor
Feb 18, 2023
Your pseudocode is a little hard to follow without the full context of what you’re trying to accomplish. Would you mind sharing the actual query, and the original query you’re basing it off of? Obviously obfuscate anything that would be deemed proprietary to your organization (such as the watchlist itself) but I think have both queries would help us determine the source of your errors.


Thanks in advance!
  • LeenoldTN's avatar
    LeenoldTN
    Copper Contributor
    Feb 20, 2023

    gcorsinigcorsini

    Thank you for getting back to me.
    Here is the full code ***I have removed the subscription and resource names***

     

     

     

     

    • LeenoldTN's avatar
      LeenoldTN
      Copper Contributor
      Feb 20, 2023
      The Alert Query also has 'let' statements, so it creates errors when I try and run them.