Querying Watchlists

image

special thanks to @Ofer_Shezaf for showing me the new function call.

Watchlists

Watchlists are a feature of Microsoft Sentinel that provide great flexibility and useability.  They allow for user-defined tables that can be used in KQL queries to provide additional data.  By uploading data using CSV files, users control the data that are in the watchlists and that data can be modified and new rows added as needed.

Watchlists provide a “searchkey” field that is unique across the watchlist and can be used to reference an individual row as discussed below.

Querying Watchlists

The Microsoft Sentinel portal UI provides a way to query the watchlist in the logs watchlist.  You can select the watchlist and then click on the “View in Logs” button.  This will then transfer the user to Logs, or Advanced Hunting if using Unified SOC Platform, and will execute the following command:

_GetWatchlist('')

This will load the entire watchlist and return all the rows.   While this works fine for most of the applications, if your watchlist is very large, it could cause a timeout issue depending on the rest of the KQL query.

For those cases, use the “_ASIM_GetWatchlistRaw” function to return specific rows.   It takes two parameters: The Workbook name and a dynamic list of the values for the “searchkey” column that will be used to determine which rows to return.

The example below demonstrates use this function:

let Users = dynamic(["User1@contoso.com", "user1@contoso.com"]);
_ASIM_GetWatchlistRaw('VIP',Users)
| evaluate bag_unpack(WatchlistItem)

Note the call to “evaluate bag_unpack(WatchlistItem)” at the end.  This is needed to expand the raw information that is stored in the watch list rows into the same format you get using “_GetWatchlist”

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.