Forum Discussion
abubakr786
Dec 07, 2021Copper Contributor
Partial match with contains using watchlist
I am trying to create an alert when specific file extensions are found in any system, an alert is triggered. For which I have file extensions in a watchlist, I want to write a query that reads dat...
Clive_Watson
Dec 07, 2021Bronze Contributor
let getUsers = _GetWatchlist('VIPUsers')
| project UPN = ['User Principal Name']
;
SigninLogs
| where AlternateSignInName in ( getUsers )
| summarize count() by AlternateSignInName
This is an example of one way of doing this, using the 'VIPusers' template and Signinlogs - you can adjust to suit.
- abubakr786Dec 07, 2021Copper Contributor
I did as you suggested but it doesnt seem to be returning any data, does in looks for matching partial data in the field like contains in this scenario? Modified query is:
However when I do so withouth watchlists the extensions exists and results are shown:
What could be the issue here?