Jan 07 2021 07:39 AM
I'm beating my head against using a watchlist in Sentinel and can't figure out where I'm going wrong.
My goal is to find logon activity for our privileged accounts. I've created a watchlist called "2020-12-22-admin-accounts" that has a single column named "admin-account". Each value is a user name.
Every time I try to run the below, I get an error "join: both sides of equality should be column entities only". What am I missing here?
_GetWatchlist('2020-12-22-admin-accounts')
|join
(
SecurityEvent
| where EventID == 4624
) on $left.admin-account == $right.TargetUserName
Jan 07 2021 07:53 AM
Figured it out, I needed to refer to the column differently.
_GetWatchlist('2020-12-22-admin-accounts')
|join
(
SecurityEvent
| where EventID == 4624
) on $left.['admin-account'] == $right.TargetUserName