The UserName field is set as the account entity. → Yes
The watchlist cannot be updated after it is created. → No
The IPList variable is set as the IP address entity. → No
In Microsoft Sentinel analytics rules, entity mapping is done by assigning special alias fields in the query result such as AccountCustomEntity, HostCustomEntity, and IPCustomEntity. In the provided KQL, the final line explicitly maps AccountCustomEntity = UserName and HostCustomEntity = Computer, which sets UserName as the account entity and Computer as the host entity. No mapping is provided for an IP entity; the query defines let IPList = _GetWatchlist('Bad_IPs'); to retrieve a watchlist named Bad_IPs and then uses it only for filtering (SourceIP in (IPList) or DestinationIP in (IPList)). Because IPList is a dataset used for comparison and not assigned to IPCustomEntity, it is not set as the IP address entity. Additionally, Microsoft Sentinel watchlists are editable—you can upload new files, append, or replace data after creation—so the statement that a watchlist cannot be updated is false.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit