Forum Discussion
Solved
Sentinel Watchlist and KQL query
I created a Sentinel VIP user watchlist and would like to use the SecurityAlert logs I have the following query: SecurityAlert
| extend User_Account_ = tostring(parse_json(ExtendedProperties...
Jeff Walzer Is there any reason you cannot just change the extend in line 2 to use the User Principal Name like:
| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])If you need to keep that User_Account variable you can do
| extend ['User Principal Name'] = User_Account
Jeff Walzer Is there any reason you cannot just change the extend in line 2 to use the User Principal Name like:
| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])
If you need to keep that User_Account variable you can do
| extend ['User Principal Name'] = User_Account
GaryBushey - thx for the rely
So I now have the following query:
let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SecurityAlert
| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])
| where 'User Principal Name' in (watchlist)
| project TimeGenerated, ['User Principal Name']But when I run the query, I still see user names that aren't part of the VIP list
Thx