How to create a whitelist with two fields in KQL with a Watchlist?
I need to make a query that checks if an event doesn't match two fields from a watchlist. Context: I have a watchlist with two fields, one is a user email and other is a country code, this allows me to ignore events from users who are in an specific country and I don't need to see.
I know how to validate watchlists with one single field:
| where Username !in (_GetWatchlist("query_WL")|project Username)
I am translating queries from Splunk, but this logic doesn't work at all:
Splunk:
| search NOT [ | inputlookup query_WL.csv | fields Username CountryCode]
KQL
| where Username !in (_GetWatchlist("query_WL")|project Username) and CountryCode !in (_GetWatchlist("query_WL")|project CountryCode)
This is blowing my mind, I don't know how to do the same in KQL.
Solution
You could anti-join the fields UserName and CountryCode:
let Blacklist = datatable(
UserName: string,
CountryCode: string
)
[
"John", "DE",
"John", "US"
];
let Data = datatable(
UserName: string,
CountryCode: string
)
[
"John", "DE",
"John", "US",
"Mat", "DE",
"William", "UK",
];
Data
| join kind = anti(Blacklist) on UserName, CountryCode
Result:
Find sample Code here.
- Kusto make-series by month
- KQL merge rows with the same ID into one row
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Bin producing unexpected results
- How to create a whitelist with two fields in KQL with a Watchlist?
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- How can I convert TimeGenerated to TimeIngested in this KQL query for an Azure Workbook?
- multiple if and else within kql azure
- Controlling scatter chart markers in Azure Data Explorer dashboard using KQL
- Monitor HTTP traffic for Azure Web App using Log analitics and KQL query
- Defining external table kind as delta
- Kusto query map through array
- how to use or condition in kql
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- KQL query returns available memory but not Total Memory
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property
- Defender Advance Query
- Calculation of outlier score in series_outlier method
- How to get Azure Advisor scores from azure resource graph explorer?
- KQL: How to reference columns within a let query in the next query
- KQL Query works in advanced hunting but fails when made into a detection rule
- Creating KQL query to get Azure VMs not patched since 30days
- Create a function to calculate power of tens with a loop and reuse them in another query