Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to apply string literal @ to all items in a watchlist

Copper Contributor

We're currently using a file path watchlist (csv file where each item is a path name, ex C:\sys\svchost), and the match using !in~ against the watchlist is failing. If we take a single item from the watchlist and compare by putting @ in front (ex. @'C:\sys\svchost') the match works as expected. 

 

Is there a way the @ literal can be applied to all items in a watchlist when using the !in operator?

 

We are using the @ symbol as described in the docs here:

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/string

 

 

3 Replies
Have you tried the literal backslash? i.e.,...

C:\\sys\\svchost
I'm sure that would work, but since we're uploading a large watchlist file (thousands of rows with dynamic paths), I'm looking for a method to do a literal comparison on the GUI instead of trying to modify each row with escape characters.
So, maybe I'm missing something, but you just need to use literal backslashes in your KQL query. Keep it single slash in the Watchlist.