Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Wildcard filtering using a watchlist

Copper Contributor

Hey all,


I'm trying to do something like the below:

| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest))


However I get an error saying that "StringNotEndsWith operator requires string arguments" :smile:


Any idea how to search a watchlist like this?? Many thanks in advance.

4 Replies

@ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)


Not sure how you would actually be able to do what you are attempting.  Does your watchlist only have a single row?


Thanks Gary,

No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .
best response confirmed by ChristopherKerry (Copper Contributor)

@ChristopherKerry Try surrounding the entire expression with not() as in 

| where not(ComputerIP has_any(""))

@Gary Bushey 

That worked! Thanks Gary

For anyone trying to do the same thing - the resulting query looked like this:


| where not(Dest has_any ((_GetWatchlist('watchlist') | project Dest)))