Forum Discussion
KQL: setting query time leads to problem in watchlist column projecting
Hello to the community! I have stumbled upon a very strange issue when using watchlists. I have a watchlist with 2 columns (userPrincipalName,allowedActivity) that I am then using to whitelis...
You should use Let rather than Set (Set is a Azure Data Explorer statement)
So in Sentinel Logs it would be (unless you are using ADX?):
let query_now = datetime("1/14/2022, 1:45:46.556 PM");
print query_now
So in Sentinel Logs it would be (unless you are using ADX?):
let query_now = datetime("1/14/2022, 1:45:46.556 PM");
print query_now
I still can confirm the issue, and it is present when we want to go back in time for a few days.
This code gives me full watchlist:
_GetWatchlist("Svc_Accts_without_MFA")This code gives me only three records out of 75:
set query_datetimescope_column = "TimeGenerated";
set query_datetimescope_from = datetime(2025-07-03T23:00:00.000Z);
set query_datetimescope_to = datetime(2025-07-05T23:00:00.000Z);
set query_now=datetime(2025-07-05T23:00:00.000Z);
_GetWatchlist("Svc_Accts_without_MFA")All records in the watchlist were updated months ago.
The "set" commands should impact only DATA queries, using tables, not watchlists.