Search code examples
kqlwindows-defender

KQL How to find rows in table based on list

The below code gives the error: A recognition error occurred

let vips = datatable (name: string)
['xxxx',
 'yyyy',
 'zzzz',
 'gggg'];
DeviceLogonEvents  
| where AccountName  in~ (vips)
| summarize by DeviceName
| summarize vippc = make_list(DeviceName)
DeviceAlertEvents
| where DeviceName in (vippc)

Any suggestions how I can search for the items in the list vippc in the DeviceAlertEvents in the column DeviceName?

Solution

  • you could try this:

    let vips = datatable(name: string)
[
 'xxxx',
 'yyyy',
 'zzzz',
 'gggg'
]
;
let vippc = 
   DeviceLogonEvents  
   | where AccountName  in~ (vips)
   | distinct DeviceName
;
DeviceAlertEvents
| where DeviceName in (vippc)