Feb 18 2023 11:50 AM
Good day all.
I want to automatically close an incident if the events do not include entries in a watchlist.
I have another playbook that looks at entities and matches them with the entries in the watchlist, and a decision is passed depending on the outcome. This solution works.
however, there are other incidents that do not have entities and I still want to apply the same logic. So I was thinking of creating a playbook that runs the same incident query at incident time and match the events/results with the watchlist. Using the connector to run KQL query and list results works, but then I am failing to get the KQL query right. This is what I’m thinking:
let watchlistcolumofinterest = -Get watchlist and project required columns;
let eventstable = incident query at runtime;
eventstable
| join watchlistcolumofinterest on colum1
Ideally this psudo code should work, but I am getting errors with the nested let statements.
Please help me out with this logic, or something different that works better.
Thank you.
Feb 18 2023 07:20 PM
Feb 20 2023 02:21 AM
Feb 20 2023 02:23 AM