Forum Discussion

rurno's avatar
rurno
Copper Contributor
Aug 18, 2020
Solved

Use "where contains" from a list

Hello,   I have been trying to setup Linux audit logs in Azure Sentinel, using the OMS auditd parser found in the OMS agent. (Not AUOMS, which I can't use as I have isolated servers).   Anyone wh...
kusto
  • mergene's avatar
    mergene
    Aug 18, 2020
    you can use "not (fieldname has_any(dynamiclist))"
rurno's avatar
rurno
Copper Contributor
Aug 18, 2020

mergene 

 

The lists have things I want to exclude from the query in them. The fields I want to exclude this from can and often contains other data so I can never make a 100% match, which is why I need to make use of contains.

 

has_any would work wonders for an inclusive list but not exclusive and !has_any sadly doesn't exist.

 

 

mergene's avatar
mergene
Brass Contributor
Aug 18, 2020
you can use "not (fieldname has_any(dynamiclist))"
  • rurno's avatar
    rurno
    Copper Contributor
    Aug 19, 2020

    mergene 

    It works! You're fantastic.

    Glad to know that not would also work in this instance, I never even thought of it as a possibility.

Resources