cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Pull information from a Watchlist and add it to another table

gsingh_
Copper Contributor

‎Jun 13 2022 08:49 PM

‎Jun 13 2022 08:49 PM

Pull information from a Watchlist and add it to another table

Hi,

I am using a Watchlist having all the usernames and their device names. I would like to get device names and add them to the CommonSecurityLog/CEF table. How can I do it using join or lookup? Please share some thoughts or a query sample.

Note: The CEF logs do have usernames that we can match. 

Thanks

Labels:
413 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by gsingh_ (Copper Contributor)
Gary Bushey

‎Jun 14 2022 04:28 AM

‎Jun 14 2022 04:28 AM

Solution

Re: Pull information from a Watchlist and add it to another table

@gsingh_  You will not be able to add the data to the other tables as there is no feature within KQL to add data to a table, only look at data.

 

If you want to do a join to look at data, you can do something like:

let watchListTable = _GetWatchlist('Watchlist');
CommonSecurityLog
| join watchListTable on $left.key == $right.key

0 Likes
Reply
gsingh_

‎Jun 14 2022 06:01 PM

‎Jun 14 2022 06:01 PM

Re: Pull information from a Watchlist and add it to another table

thanks, Gary. I agree the watchlist is not going to solve the purpose. The actual requirement is to get the endpoints hostname/device name added to each of the user accounts in the CEF table.
I enabled DeviceInfo events (Under Microsoft 365 Defender Connector) as it contains Device Name as well as user accounts. Tried joining both tables on Account but got excessive events.

Something similar to the below query where I am monitoring Blocked Events with a Risk Score > 50.

let CEF = CommonSecurityLog
| where TimeGenerated >= ago(1d)
| where Action == "Blocked"
| where File_Type != "None"
| where Risk_Score>=50
| summarize Count = count() by File_Type, TimeGenerated, SourceConnector, SourceUserPrivileges, UserDept, Target_URL, File_Accessed, File_Type, Response,Action, SourceIP, DestinationIP, Attack_Type, Attack_Name, Account
| order by Count desc;
let HostInfo = DeviceInfo
| extend DeviceName, Account;
CEF
| join kind=leftouter HostInfo on Account | project-away Account1
| project Count, DeviceName, Account, TimeGenerated, SourceConnector, SourceUserPrivileges, UserDept, Target_URL, File_Accessed, File_Type, Response, Action, SourceIP, DestinationIP, Attack_Type, Attack_Name
0 Likes
Reply