Queries for the ConfidentialWatchlist table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Get confidential Watchlist aliases

Gets a distinct list of all confidential Watchlist aliases in a workspace.

ConfidentialWatchlist
| take 100

Lookup events using a confidential Watchlist

Lookup events in Heartbeat table against data from a Watchlist by treating the confidential Watchlist as a table for joins and lookups.

Heartbeat
| lookup kind=leftouter _GetWatchlist('mywatchlist')
 on $left.ComputerIP == $right.SearchKey
 | limit 100