Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to use a watchlist instead of a dynamic list

Brass Contributor

Hi,

 

Just starting to look at watchlists and was wondering how to use instead of the following:

 

let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]);
 
let IPlist = _GetWatchlist('IPWL')
 
Regards,
 
Tim
5 Replies

@tipper1510 

 

You can use it in many ways, perhaps like this?

// Look in conf access watch list for user name (User column) and compare to the UserPrincipalName in AAD SigninLogs
//
_GetWatchlist('Confidential-Access')
| join 
(
    SigninLogs 
    | summarize arg_max(TimeGenerated,*) by  UserPrincipalName
) on $left.User == $right.UserPrincipalName

Screenshot 2020-10-09 082700.jpg

 

or

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| count

 

// Use watchlist like a Table 
let conf_ = _GetWatchlist('Confidential-Access');
conf_
| where User startswith "megan"

 

See also https://secureinfra.blog/2020/10/07/how-to-obtain-and-import-data-into-the-azure-sentinel-watchlist-...

@tipper1510 To use a watchlist, you need to have the values in a text file like a CSV file.  You then upload that file into the Watchlist.  You will be asked for a Name, Description, and an alias.  You use the alias in the commands that @CliveWatson posted and then you can use it just like any other table.  The link he posted is very useful as well.

 

You can think of this as a way to replace a lot of the externdata calls.

@CliveWatson 

Many thanks for your reply.

 

Still learning kql, how could i use a watchlist for say a set of approved users and then use across another table and if they exist there and on the watchlist then do something else some other action.

 

Regards,

 

Tim

@tipper1510 One of @CliveWatson's replies had a listing for using a watchlist with another table using a JOIN.  That is what would work in this case.