Queries for the Watchlist table

Article
02/20/2024

Get Watchlist aliases

Gets a distinct list of all Watchlist aliases in a workspace.

Watchlist
| where _DTItemType == "Watchlist"
| where _DTTimestamp > ago(5d)
| distinct WatchlistAlias

Lookup events using a Watchlist

Lookup events in Heartbeat table against data from a Watchlist by treating the Watchlist as a table for joins and lookups.

Heartbeat
| lookup kind=leftouter _GetWatchlist('mywatchlist')
 on $left.ComputerIP == $right.SearchKey
 | limit 100

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page

View all page feedback

Share via

Queries for the Watchlist table

Get Watchlist aliases

Lookup events using a Watchlist

Feedback

Feedback

Additional resources