Forum Discussion
Loop through array in KQL
GaryBusheyHi Gary, the main reason would be so that I could make use of data that I pull in form external sources via API calls, as well as using custom connectors and merging them on to existing connectors.
Another reason would be to be able to enrich existing analytical rules.
LodewykV All of that can be done using tables and either join or union commands. I would recommend looking at the "externdata " and the Watchlist functionality to get external data
- LodewykVFeb 20, 2021Copper Contributor
GaryBusheyHi Gary, thanks for the recommendation. I'm using the externaldata operator to do an api call and am parsing the data using mv-expand and parse_json, although I've got to use the loop functionality in playbooks to be able to do what I want to do.
I'll have a look at watchlists though.