Forum Discussion
I am trying to create a watchlist that displays specific alerts from different business units
I'm using a Union rather than a join or a lookup (like in the previous examples), which skips the need to have case equality (where both the data in the Watchlist and the Computer have to be upper or lowercase for a Join/lookup to match them).
The query is essentially the same (you can replace the summarize line with whatever suits your use case).
This server highlighted in the red box, is all upper case in the Heartbeat table, but in the unit watchlist I made the "tham" characters lowercase to prove that you can union a mix of upper/lower cases. The server is now in the "thoseInaTeam" column as thamUKSOBS01 was matched with THAMUKSOBS01 and it was recognised as a DEV team server, regardless of its case sensitivity.
I hope this helps.
fyi, there is a KQL course and the modules from the course you can access from within the portal (the modules have lots of great examples), see below.
Also Module 7 of the Azure Sentinel training Become an Azure Sentinel Ninja: The complete level 400 training - Microsoft Tech Community
