How to use a watchlist instead of a dynamic list

%3CLINGO-SUB%20id%3D%22lingo-sub-1758808%22%20slang%3D%22en-US%22%3EHow%20to%20use%20a%20watchlist%20instead%20of%20a%20dynamic%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1758808%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20starting%20to%20look%20at%20watchlists%20and%20was%20wondering%20how%20to%20use%20instead%20of%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPList%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22154.223.45.38%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22185.141.207.140%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22185.234.73.19%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22216.245.210.106%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%2251.91.48.210%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%2246.255.230.229%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%3Elet%20IPlist%20%3D%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%3E_GetWatchlist(%3C%2FSPAN%3E%3CSPAN%3E'IPWL'%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ETim%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1762791%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20a%20watchlist%20instead%20of%20a%20dynamic%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1762791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20it%20in%20many%20ways%2C%20perhaps%20like%20this%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20Look%20in%20conf%20access%20watch%20list%20for%20user%20name%20(User%20column)%20and%20compare%20to%20the%20UserPrincipalName%20in%20AAD%20SigninLogs%0A%2F%2F%0A_GetWatchlist('Confidential-Access')%0A%7C%20join%20%0A(%0A%20%20%20%20SigninLogs%20%0A%20%20%20%20%7C%20summarize%20arg_max(TimeGenerated%2C*)%20by%20%20UserPrincipalName%0A)%20on%20%24left.User%20%3D%3D%20%24right.UserPrincipalName%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-10-09%20082700.jpg%22%20style%3D%22width%3A%20657px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F225324i3972BEB07C3DC390%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-10-09%20082700.jpg%22%20alt%3D%22Screenshot%202020-10-09%20082700.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20Use%20watchlist%20like%20a%20Table%20%0Alet%20conf_%20%3D%20_GetWatchlist('Confidential-Access')%3B%0Aconf_%0A%7C%20count%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20Use%20watchlist%20like%20a%20Table%20%0Alet%20conf_%20%3D%20_GetWatchlist('Confidential-Access')%3B%0Aconf_%0A%7C%20where%20User%20startswith%20%22megan%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20also%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F10%2F07%2Fhow-to-obtain-and-import-data-into-the-azure-sentinel-watchlist-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F10%2F07%2Fhow-to-obtain-and-import-data-into-the-azure-sentinel-watchlist-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763678%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20a%20watchlist%20instead%20of%20a%20dynamic%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763678%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3BTo%20use%20a%20watchlist%2C%20you%20need%20to%20have%20the%20values%20in%20a%20text%20file%20like%20a%20CSV%20file.%26nbsp%3B%20You%20then%20upload%20that%20file%20into%20the%20Watchlist.%26nbsp%3B%20You%20will%20be%20asked%20for%20a%20Name%2C%20Description%2C%20and%20an%20alias.%26nbsp%3B%20You%20use%20the%20alias%20in%20the%20commands%20that%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bposted%20and%20then%20you%20can%20use%20it%20just%20like%20any%20other%20table.%26nbsp%3B%20The%20link%20he%20posted%20is%20very%20useful%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20think%20of%20this%20as%20a%20way%20to%20replace%20a%20lot%20of%20the%20externdata%20calls.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1765013%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20a%20watchlist%20instead%20of%20a%20dynamic%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1765013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20learning%20kql%2C%20how%20could%20i%20use%20a%20watchlist%20for%20say%20a%20set%20of%20approved%20users%20and%20then%20use%20across%20another%20table%20and%20if%20they%20exist%20there%20and%20on%20the%20watchlist%20then%20do%20something%20else%20some%20other%20action.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

Just starting to look at watchlists and was wondering how to use instead of the following:

 

let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]);
 
let IPlist = _GetWatchlist('IPWL')
 
Regards,
 
Tim
5 Replies
Highlighted

@tipper1510 

 

You can use it in many ways, perhaps like this?

// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs
//
_GetWatchlist('Confidential-Access')
| join 
(
    SigninLogs 
    | summarize arg_max(TimeGenerated,*) by  UserPrincipalName
) on $left.User == $right.UserPrincipalName

Screenshot 2020-10-09 082700.jpg

 

or

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| count

 

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| where User startswith "megan"

 

See also https://secureinfra.blog/2020/10/07/how-to-obtain-and-import-data-into-the-azure-sentinel-watchlist-...

Highlighted

@tipper1510 To use a watchlist, you need to have the values in a text file like a CSV file.  You then upload that file into the Watchlist.  You will be asked for a Name, Description, and an alias.  You use the alias in the commands that @Clive Watson posted and then you can use it just like any other table.  The link he posted is very useful as well.

 

You can think of this as a way to replace a lot of the externdata calls.

Highlighted

@Clive Watson 

Many thanks for your reply.

 

Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.

 

Regards,

 

Tim

Highlighted

@tipper1510 One of @Clive Watson's replies had a listing for using a watchlist with another table using a JOIN.  That is what would work in this case.