cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filtering using watchlist on multiple fields

staro69
Copper Contributor

‎Jun 17 2021 07:36 AM

‎Jun 17 2021 07:36 AM

Filtering using watchlist on multiple fields

Hello,

 

I am new to KQL. I am trying to use watchlists to filter out some false positives from a rule in sentinel. I can do the filtering based on one field from watchlist, but what if I need combination of both?

 

When filtering based on one condition:

DeviceLogonEvents
| where AccountName !in~ ((_GetWatchlist('npa_test') | project AccountName))

 

What if I want to use combination of DeviceName and AccountName from the watchlist? Any help much appreciated!

1,605 Views
0 Likes
2 Replies
Reply
2 Replies
Gary Bushey

‎Jun 17 2021 09:36 AM

‎Jun 17 2021 09:36 AM

Re: Filtering using watchlist on multiple fields

@staro69 Can you combine the fields in your watchlist (as maybe a third field) and then combine the fields you need in the DeviceLogonEvents table using the extend command and then compare the new field to the 3rd field from your watchlist?

 

0 Likes
Reply
staro69

‎Jun 18 2021 12:30 AM

‎Jun 18 2021 12:30 AM

Re: Filtering using watchlist on multiple fields

Thanks, that can actually work!
0 Likes
Reply