cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL: Closing an incident if the events do not include entries in a Watchlist

LeenoldTN
Copper Contributor

‎Feb 18 2023 11:50 AM

‎Feb 18 2023 11:50 AM

KQL: Closing an incident if the events do not include entries in a Watchlist

Good day all. 

I want to automatically close an incident if the events do not include entries in a watchlist. 

I have another playbook that looks at entities and matches them with the entries in the watchlist, and a decision is passed depending on the outcome. This solution works. 

however, there are other incidents that do not have entities and I still want to apply the same logic. So I was thinking of creating a playbook that runs the same incident query at incident time and match the events/results with the watchlist. Using the connector to run KQL query and list results works, but then I am failing to get the KQL query right. This is what I’m thinking:

 

let watchlistcolumofinterest = -Get watchlist and project required columns;

let eventstable  = incident query at runtime;

eventstable

| join watchlistcolumofinterest on colum1

 

Ideally this psudo code should work, but I am getting errors with the nested let statements. 

Please help me out with this logic, or something different that works better. 

Thank you. 

Labels:
890 Views
0 Likes
3 Replies
Reply
3 Replies
gcorsini

‎Feb 18 2023 07:20 PM

‎Feb 18 2023 07:20 PM

Re: KQL: Closing an incident if the events do not include entries in a Watchlist

Your pseudocode is a little hard to follow without the full context of what you’re trying to accomplish. Would you mind sharing the actual query, and the original query you’re basing it off of? Obviously obfuscate anything that would be deemed proprietary to your organization (such as the watchlist itself) but I think have both queries would help us determine the source of your errors.


Thanks in advance!
0 Likes
Reply
LeenoldTN

‎Feb 20 2023 02:21 AM

‎Feb 20 2023 02:21 AM

Re: KQL: Closing an incident if the events do not include entries in a Watchlist

@gcorsini@gcorsini

Thank you for getting back to me.
Here is the full code ***I have removed the subscription and resource names***

 

LeenoldTN_0-1676888504057.png

 

 

 

0 Likes
Reply
LeenoldTN

‎Feb 20 2023 02:23 AM

‎Feb 20 2023 02:23 AM

Re: KQL: Closing an incident if the events do not include entries in a Watchlist

The Alert Query also has 'let' statements, so it creates errors when I try and run them.
0 Likes
Reply