Watchlist leql query?

Is it possible to get the watchlist as a query option for the IDR search, so like for example I want to search web proxy logs for user in the watchlist that download or visit category sites something like where(users in Watchlist AND http_method=get). Just something to expand the functionality of the watchlist because then I could build dashboards using the queries, so I don’t have to manually run multiple queries for these users or have the users in the actual queries.

Hello! While you can’t tie into your Watchlist dynamically, we did recently release LEQL functionality that allows you to create variables that can be used to reference a list. That way you can create a variable that includes all those risky users, and then create queries and dashboards to reference it. Again, it will not automatically update as your Risky User list changes, but could be a way to get some of that visibility.


awesome, thanks for that, definitely a step in the right direction.