KQL Search

Query Details

Watchlist NO Tin

Query

//Just a simple KQL query to use as a template to use a Watchlist to show where something is NOT in the Watchlist

let watchlist = _GetWatchlist("Your Watchlist Alias")
| project IP;
let timeframe = 1d;
let threshold = 15;
TableName
| where TimeGenerated >= ago(timeframe)
| where ip !in (watchlist)
| project user, ip, port, SyslogMessage, EventTime

Explanation

This query is using a watchlist to check if certain IP addresses are not present in the watchlist. It sets the timeframe to 1 day and the threshold to 15. It then retrieves data from a table called TableName where the TimeGenerated is within the specified timeframe. It filters out any IP addresses that are in the watchlist and projects specific columns for user, IP, port, SyslogMessage, and EventTime.

Details

Rod Trent

Released: January 22, 2021

Tables

TableName

Keywords

Devices,Intune,User,IP,Port,SyslogMessage,EventTime

Operators

letprojectwherein!in

KQL Search

Watchlist NO Tin

Query

Explanation

Details

Actions