@Jafar1970
If by white list you mean a table of info, there are a few options today.
1. External data (CSV files etc...), please see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-h...
2. Three examples
//
// create dummmy data, rather than use a print command
//
let sampleData = datatable(Recommendation:string, Counter:int)
[
"My text", 1,
"Some text",2,
"Some other text",3
];
sampleData
| where Recommendation == "Change the max degree of parallelism (MAXDOP) configuration option in Microsoft SQL Server."
Go to Log Analytics and Run Query
//
// create dummmy data, and join to a real Table
//
let sampleData = datatable(Computer:string, Recommendation:string, Counter:int)
[
"OnPremise-12S", "My text", 1,
"ContosoSQLSrv1","Some text",2,
"fake","Some other text",3
];
Event
| project Computer
| join sampleData on Computer
or, shows countries that are NOT "GB" or "US" - just remove the "!" if you wanted the opposite
let whiteList = dynamic (['GB', 'US']); // setup a whitelist of country codes
SigninLogs
| where TimeGenerated >= ago(1d)
| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion)
| where isnotempty(countryOrRegion_)
| where countryOrRegion_ !in (whiteList)