Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist...
caitlin2250
This should work. I did note I couldn't use "Team" as a column name but "Team_" worked.
Watchlist used:
or
Heartbeat
| lookup kind=leftouter _GetWatchlist('UNIT')
on $left.Computer == $right.SearchKey
| summarize thoseInaTeam=make_set_if(Computer, isnotempty(Team_)), dcountif(Computer, isnotempty(Team_)), thoseNotInaTeam=make_set_if(Computer, isempty(Team_)), dcountif(Computer, isempty(Team_)) by Team_
| Team_ | thoseInaTeam | dcountif_Computer | thoseNotInaTeam | dcountif_Computer1 |
|---|---|---|---|---|
| [] | 0 | ["TASARINT201201.fabrikamltd.co.uk","THAMLOCFKOM19.fabrikamltd.co.uk","TASARINT201601.fabrikamltd.co.uk","THAMLOCFKARC01.fabrikamltd.co.uk","THAMLOCPFKWVM01.fabrikamltd.co.uk","THAMLOCFKVMM19.fabrikamltd.co.uk","GENETEC201601.fabrikamltd.co.uk","RDS2019.fabrikamltd.co.uk","ATACENTER.fabrikamltd.co.uk","THAMLOCPFKWVM04.fabrikamltd.co.uk","VMRUBUNTU01","GENETEC201602.fabrikamltd.co.uk","WIN10MS-0.fabrikamltd.co.uk","WIN7.fabrikamltd.co.uk","VMW2019VM01.fabrikamltd.co.uk","powlo-signage","powloexpmegan","powloexpmeganc"] | 18 | |
| DEV | ["thamlocfkubu01","THAMUKSOBS01"] | 2 | [] | 0 |
| AKS_DEV | ["aks-agentpool-40245457-vmss000009","aks-agentpool-40245457-vmss00000a"] | 2 | [] | 0 |
| AKS_PROD | ["aks-agentpool-40245457-vmss000001","aks-agentpool-40245457-vmss000000"] | 2 | [] | 0 |
| PROD | ["vmrcentos01"] | 1 | [] | 0 |
Hi Clive
Thank you very much for the code provided. That is very helpful indeed. I will add information need from my end to the code and feedback. Much appreciated
Thank you very much for the code provided. That is very helpful indeed. I will add information need from my end to the code and feedback. Much appreciated