SOLVED

Fact tables in Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-3373183%22%20slang%3D%22en-US%22%3EFact%20tables%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3373183%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20i%20create%20and%20store%20a%20dynamic%20table%20of%20users%20in%20Azure%20Log%20Analytics%2C%20that%20i%20can%20join%20to%20in%20queries%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eie.%26nbsp%3B%20I%20need%20a%20AdminUsers%20table%20that%20holds%20a%20list%20of%20our%20admins%2C%20and%20some%20basic%20information.%26nbsp%3B%20I%20want%20to%20join%20to%20the%20AdminUsers%20table%20and%20grab%20data%20our%20of%20it%20as%20needed%20in%20queries.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20possible%2C%20how%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3373183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKusto%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3377288%22%20slang%3D%22en-US%22%3ERe%3A%20Fact%20tables%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3377288%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwatchlists%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwatchlists%3C%2FA%3E%20would%20be%20the%20feature%20to%20look%20at.%20In%20KQL%20there%20are%20other%20options%20as%20well%20with%20the%20Let%20or%20Dynamic%20operator%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fscalar-data-types%2Fdynamic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fscalar-data-types%2Fdynamic%3C%2FA%3E%20or%20for%20an%20example%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Ffd750efdda4be82ce52e1bd5bbc8f1ec31485bc5%2FHunting%2520Queries%2FW3CIISLog%2FWebShellActivity.yaml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Ffd750efdda4be82ce52e1bd5bbc8f1ec31485bc5%2FHunting%2520Queries%2FW3CIISLog%2FWebShellActivity.yaml%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3377305%22%20slang%3D%22en-US%22%3ERe%3A%20Fact%20tables%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3377305%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1210469%22%20target%3D%22_blank%22%3E%40Clive_Watson%3C%2FA%3E%26nbsp%3Boh%20this%20is%20fantastic%2C%20exactly%20what%20we%20need.%20%26nbsp%3BI%20knew%20that%20I%20could%20use%20let%20and%20build%20my%20own%20static%20dynamic%20object%2C%20but%20watchlists%20are%20definitely%20what%20I%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BThanks%20for%20replying.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3380581%22%20slang%3D%22en-US%22%3ERe%3A%20Fact%20tables%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3380581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1210469%22%20target%3D%22_blank%22%3E%40Clive_Watson%3C%2FA%3E%26nbsp%3Bjust%20replying%20to%20confirm%20for%20others%20reading%20this%20thread%20that%20I%20setup%20Watchlists%20and%20they're%20exactly%20what%20I%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3380811%22%20slang%3D%22en-US%22%3ERe%3A%20Fact%20tables%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3380811%22%20slang%3D%22en-US%22%3EHello%20Andrew%2C%3CBR%20%2F%3EYou%20can%20also%20create%20dynamic%20watchlists%20using%20Playbook%20and%20groups%20in%20Azure%20AD.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-sentinel-blog%2Fupdate-microsoft-sentinel-vip-users-watchlist-from-azure-ad%2Fba-p%2F3100184%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-sentinel-blog%2Fupdate-microsoft-sentinel-vip-users-watchlist-from-azure-ad%2Fba-p%2F3100184%3C%2FA%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Can i create and store a dynamic table of users in Azure Log Analytics, that i can join to in queries?

 

ie.  I need a AdminUsers table that holds a list of our admins, and some basic information.  I want to join to the AdminUsers table and grab data our of it as needed in queries.

 

Is this possible, how?

4 Replies
best response confirmed by AndrewX (Frequent Contributor)

@Clive_Watson oh this is fantastic, exactly what we need.  I knew that I could use let and build my own static dynamic object, but watchlists are definitely what I need.

 

 Thanks for replying.

@Clive_Watson just replying to confirm for others reading this thread that I setup Watchlists and they're exactly what I needed.

Hello Andrew,
You can also create dynamic watchlists using Playbook and groups in Azure AD.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/update-microsoft-sentinel-vip-users-w...