How to: Azure Sentinel Watchlist KQL Basics

A common Watchlist question: Once you import a Watchlist into Azure Sentinel, how do you use the information provided?

Here’s some examples of how to use Watchlists in your KQL queries and Analytics Rules. In my lists, I have a Watchlist called “FeodoTracker” and in that Watchlist there’s a data column called “DstIP.” Replace FeodoTracker with your own Watchlist name and DstIP with your own data column name.

Watchlist as a variable, in list

The following query sets up the Watchlist variable (‘let’ statement) based on the IP addresses (in the DstIP data column) in the Watchlist. Then runs a query against the Heartbeat table to verify against the Watchlist that the IP address exists.

let watchlist = (_GetWatchlist('FeodoTracker') | project DstIP);
Heartbeat
| where ComputerIP in (watchlist)

Watchlist as a variable, not in list

Same as the first query, but this one checks to see that the IP address DOES NOT exist.

let watchlist = (_GetWatchlist('FeodoTracker') | project DstIP);
Heartbeat
| where ComputerIP !in (watchlist)

Watchlist inline with the query, in list

Instead of using the ‘let’ statement to set up the variable ahead of time, the following query checks that the IP address exists during query runtime.

Heartbeat
| where ComputerIP in (
(_GetWatchlist('FeodoTracker')
| project DstIP)
)

Watchlist inline with the query, not in list

Like the inline checking in the previous query, this one checks that the IP address DOES NOT exist during query runtime.

Heartbeat
| where ComputerIP !in (
(_GetWatchlist('FeodoTracker')
| project DstIP)
)

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the weekly Azure Sentinel Newsletter]

Author

Leave a Reply