1

At the moment the way I search SecurityEvent across all workspaces is to create a function that contains the following search syntax:

union
workspace("workspaceid1").SecurityEvent, workspace("workspaceid2").SecurityEvent, workspace("workspaceid3").SecurityEvent
|where ....

Are there any way we can utilize a Sentinel Watchlist/ a list, and then create like a for loop that will parse all the workspaceID inside the Watchlist into the search syntax, and then we can search SecurityEvent for all workspaces?

Because with the current method, whenever we have to add a new workspace, we have to add it into the code. Just wanted to know how we can better code this Kusto Language

Thank You.

Jaysec
  • 27
  • 5

1 Answers1

1

Sentinel Watchlists are local to their own workspace. There is a unique treatment behind the scenes to make them work (different time filters, no retention, etc). I will forward this question to the Sentinel team to check if they have an idea.

Thanks, Meir from the Log Analytics product group

MeirM
  • 70
  • 5
  • Thanks Meir, to add more context, I’m in MSSP type of scenarios where I searched from the Central Sentinel workspace that has access to other organisations workspaces. We are adding in average 1 workspace per month, and it’s not efficient to keep editing the Union Functions for each table everytime we add one. The watchlist is uploaded into Central Sentinel instance. – Jaysec Dec 17 '20 at 00:55
  • Hi Jason, please contact me over mail. My Microsoft alias is meirm – MeirM Dec 20 '20 at 11:50