Oct 08 2020 06:36 AM
Hi,
Just starting to look at watchlists and was wondering how to use instead of the following:
Oct 09 2020 12:32 AM
You can use it in many ways, perhaps like this?
// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs
//
_GetWatchlist('Confidential-Access')
| join
(
SigninLogs
| summarize arg_max(TimeGenerated,*) by UserPrincipalName
) on $left.User == $right.UserPrincipalName
or
// Use watchlist like a Table
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| count
// Use watchlist like a Table
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| where User startswith "megan"
Oct 09 2020 05:00 AM
@tipper1510 To use a watchlist, you need to have the values in a text file like a CSV file. You then upload that file into the Watchlist. You will be asked for a Name, Description, and an alias. You use the alias in the commands that @CliveWatson posted and then you can use it just like any other table. The link he posted is very useful as well.
You can think of this as a way to replace a lot of the externdata calls.
Oct 09 2020 09:22 AM
Many thanks for your reply.
Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.
Regards,
Tim
Oct 10 2020 06:58 AM
@tipper1510 One of @CliveWatson's replies had a listing for using a watchlist with another table using a JOIN. That is what would work in this case.