Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to use a watchlist instead of a dynamic list

Brass Contributor



Just starting to look at watchlists and was wondering how to use instead of the following:


let IPList = dynamic(["","","","","",""]);
let IPlist = _GetWatchlist('IPWL')
5 Replies



You can use it in many ways, perhaps like this?

// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs
| join 
    | summarize arg_max(TimeGenerated,*) by  UserPrincipalName
) on $left.User == $right.UserPrincipalName

Screenshot 2020-10-09 082700.jpg



// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
| count


// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
| where User startswith "megan"


See also

@tipper1510 To use a watchlist, you need to have the values in a text file like a CSV file.  You then upload that file into the Watchlist.  You will be asked for a Name, Description, and an alias.  You use the alias in the commands that @CliveWatson posted and then you can use it just like any other table.  The link he posted is very useful as well.


You can think of this as a way to replace a lot of the externdata calls.


Many thanks for your reply.


Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.





@tipper1510 One of @CliveWatson's replies had a listing for using a watchlist with another table using a JOIN.  That is what would work in this case.