cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Watchlists in Sentinel

mdpuckett
Copper Contributor

‎Jan 07 2021 07:39 AM

‎Jan 07 2021 07:39 AM

Using Watchlists in Sentinel

I'm beating my head against using a watchlist in Sentinel and can't figure out where I'm going wrong.

 

My goal is to find logon activity for our privileged accounts. I've created a watchlist called "2020-12-22-admin-accounts" that has a single column named "admin-account". Each value is a user name.

 

Every time I try to run the below, I get an error "join: both sides of equality should be column entities only". What am I missing here?

 

_GetWatchlist('2020-12-22-admin-accounts')
|join 
(
SecurityEvent
| where EventID == 4624
) on $left.admin-account == $right.TargetUserName

 

1,876 Views
0 Likes
1 Reply
Reply
1 Reply
mdpuckett

‎Jan 07 2021 07:53 AM

‎Jan 07 2021 07:53 AM

Re: Using Watchlists in Sentinel

@mdpuckett 

 

Figured it out, I needed to refer to the column differently.

 

_GetWatchlist('2020-12-22-admin-accounts')
|join 
(
SecurityEvent
| where EventID == 4624
) on $left.['admin-account'] == $right.TargetUserName
0 Likes
Reply