You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/watchlists-queries.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ ms.collection: usx-security
17
17
18
18
# Build queries or detection rules with watchlists in Microsoft Sentinel
19
19
20
-
Query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups. When you create a watchlist, you define the *SearchKey*. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches.
20
+
Correlate your watchlist data against any Microsoft Sentinel data with Kusto tabular operators such as `join`and `lookup`. When you create a watchlist, you define the *SearchKey*. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches.
21
21
22
22
For optimal query performance, use **SearchKey** as the key for joins in your queries.
Copy file name to clipboardExpand all lines: articles/sentinel/watchlists.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ Watchlists in Microsoft Sentinel allow you to correlate data from a data source
22
22
23
23
Use watchlists in your search, detection rules, threat hunting, and response playbooks.
24
24
25
-
Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency.
25
+
Watchlists are stored in your Microsoft Sentinel workspace in the `Watchlist` table as name-value pairs and are cached for optimal query performance and low latency.
26
26
27
27
> [!IMPORTANT]
28
28
> The features for watchlist templates and the ability to create a watchlist from a file in Azure Storage are currently in **PREVIEW**. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -69,9 +69,11 @@ For more information, see the following articles:
69
69
70
70
## Watchlists in queries for searches and detection rules
71
71
72
-
Query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups. When you create a watchlist, you define the *SearchKey*. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches. For example, suppose you have a server watchlist that contains country/region names and their respective two-letter country codes. You expect to use the country codes often for searches or joins. So you use the country code column as the search key.
72
+
To correlate your watchlist data with other Microsoft Sentinel data, use Kusto tabular operators such as `join` and `lookup` with the `Watchlist` table. Microsoft Sentinel creates two functions in the workspace to help reference and query your watchlists.
73
+
-`_GetWatchlistAlias` - simply returns the aliases of all your watchlists
74
+
-`_GetWatchlist` - queries the name-value pairs of the specified watchlist
73
75
74
-
The following example query joins the `RemoteIPCountry`column in the `Heartbeat` table with the search key defined for the watchlist named `mywatchlist`.
76
+
When you create a watchlist, you define the *SearchKey*. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches. For example, suppose you have a server watchlist that contains country/region names and their respective two-letter country codes. You expect to use the country codes often for searches or joins. So you use the country code column as the search key.
75
77
76
78
```kusto
77
79
Heartbeat
@@ -90,7 +92,7 @@ Suppose you want to use a watchlist in an analytics rule. You create a watchlist
90
92
|`10.0.150.39,Home`|
91
93
|`172.20.32.117,Work`|
92
94
93
-
To only include events from IP addresses in the watchlist, you might use a query where watchlist is used as a variable or where the watchlist is used inline.
95
+
To only include events from IP addresses in the watchlist, you might use a query where `watchlist` is used as a variable or where the watchlist is used inline.
94
96
95
97
The following example query uses the watchlist as a variable:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments