Forum Discussion
Using watchlists to whitelist or tune rules
Nexxic You are very close. Take a look at the join types in the join command page: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuremonitor
and look at leftantisemi (Returns all the records from the left side that don't have matches from the right) and rightantisemi (Returns all the records from the right side that don't have matches from the left.)
I include both since there is a comment on this page: For best performance, if one table is always smaller than the other, use it as the left (piped) side of the join. So you probably want to use your Proxy table on the left and do a rightantisemi join.
let Proxy = _GetWatchlist('IP'); Proxy | join SigninLogs kind=rightantisemi on $left.IP == $right.IPAddress
Nexxic You are very close. Take a look at the join types in the join command page: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuremonitor
and look at leftantisemi (Returns all the records from the left side that don't have matches from the right) and rightantisemi (Returns all the records from the right side that don't have matches from the left.)
I include both since there is a comment on this page: For best performance, if one table is always smaller than the other, use it as the left (piped) side of the join. So you probably want to use your Proxy table on the left and do a rightantisemi join.
let Proxy = _GetWatchlist('IP');
Proxy
| join SigninLogs kind=rightantisemi on $left.IP == $right.IPAddress