Forum Discussion
KQL "not in watchlist" not working
Hi, I am trying to create a query that will display SHA256 hashes of .XLL files that are known as malicious or unknown hashes, while ignoring known good hashes. I have created 2 watchlists, "good" an...
Are you have a case sensitivity issue, maybe try:
| where FileName endswith tolower(".dll")
or
| where SHA256!in~ (good_)
| where FileName endswith tolower(".dll")
or
| where SHA256!in~ (good_)
Hi, I tried adding your suggestions but it is still displaying the items included in the watchlist.
I've attached a screenshot of my actual query and the watchlist I am using and as you can see, the resulting SHA256s are exact matches to that of the workbook. Suspicious file.xll is my test file that is being properly reported, but I can't seem to figure out why the SHA256s in the workbook are still being displayed
My query
Watchlist results