Using Watchlists in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2040520%22%20slang%3D%22en-US%22%3EUsing%20Watchlists%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040520%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20beating%20my%20head%20against%20using%20a%20watchlist%20in%20Sentinel%20and%20can't%20figure%20out%20where%20I'm%20going%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20goal%20is%20to%20find%20logon%20activity%20for%20our%20privileged%20accounts.%20I've%20created%20a%20watchlist%20called%20%222020-12-22-admin-accounts%22%20that%20has%20a%20single%20column%20named%20%22admin-account%22.%20Each%20value%20is%20a%20user%20name.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20time%20I%20try%20to%20run%20the%20below%2C%20I%20get%20an%20error%20%22join%3A%20both%20sides%20of%20equality%20should%20be%20column%20entities%20only%22.%20What%20am%20I%20missing%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E_GetWatchlist('2020-12-22-admin-accounts')%0A%7Cjoin%20%0A(%0ASecurityEvent%0A%7C%20where%20EventID%20%3D%3D%204624%0A)%20on%20%24left.admin-account%20%3D%3D%20%24right.TargetUserName%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2040589%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Watchlists%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040589%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F921285%22%20target%3D%22_blank%22%3E%40mdpuckett%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFigured%20it%20out%2C%20I%20needed%20to%20refer%20to%20the%20column%20differently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E_GetWatchlist('2020-12-22-admin-accounts')%0A%7Cjoin%20%0A(%0ASecurityEvent%0A%7C%20where%20EventID%20%3D%3D%204624%0A)%20on%20%24left.%5B'admin-account'%5D%20%3D%3D%20%24right.TargetUserName%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm beating my head against using a watchlist in Sentinel and can't figure out where I'm going wrong.

 

My goal is to find logon activity for our privileged accounts. I've created a watchlist called "2020-12-22-admin-accounts" that has a single column named "admin-account". Each value is a user name.

 

Every time I try to run the below, I get an error "join: both sides of equality should be column entities only". What am I missing here?

 

_GetWatchlist('2020-12-22-admin-accounts')
|join 
(
SecurityEvent
| where EventID == 4624
) on $left.admin-account == $right.TargetUserName

 

1 Reply

@mdpuckett 

 

Figured it out, I needed to refer to the column differently.

 

_GetWatchlist('2020-12-22-admin-accounts')
|join 
(
SecurityEvent
| where EventID == 4624
) on $left.['admin-account'] == $right.TargetUserName