Skip to main content
Create or update a watchlist and it’s items.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Display NameThe display name of the watchlist.
Item Search KeyThe search key is used to optimize query performance when using watchlists for joins with other data.
ProviderThe provider of the watchlist.
Resource Group NameThe name of the resource group. The name is case insensitive.
SourceThe source of the watchlist.
Subscription IDThe ID of the target subscription.
Watchlist AliasWatchlist alias to upsert. If doesn’t exist, creates the watchlist with the given alias and properties. Otherwise, updates it.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
Content TypeThe content type of the raw content.

Note: Only text/csv is valid.
Default DurationThe default duration of a watchlist

Note: Provide a valid ISO 8601 duration format.

For example, P3Y6M4DT12H30M5S Represents a duration of three years, six months, four days, twelve hours, thirty minutes, and five seconds.
DescriptionA description of the watchlist.
EtagThe Etag of the azure resource.
Number Of Lines To SkipThe number of lines in a CSV content to skip before the header.
Raw ContentThe raw content that represents the watchlist items to create.
Tenant IDThe tenant ID where the watchlist belongs to.
Upload StatusThe status of the watchlist upload.
Watchlist IDThe ID of the watchlist.
Watchlist LabelsA comma-separated list of labels relevant to this watchlist.
Watchlist TypeThe type of the watchlist.

Example Output

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset",
	"name": "highValueAsset",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/Watchlists",
	"systemData": {
		"createdAt": "2024-05-28T19:06:07",
		"createdBy": "<string>",
		"createdByType": "<string>",
		"lastModifiedAt": "2021-02-15T20:11:09",
		"lastModifiedBy": "<string>",
		"lastModifiedByType": "<string>"
	},
	"properties": {
		"watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017",
		"displayName": "High Value Assets Watchlist",
		"provider": "Microsoft",
		"source": "Local file",
		"itemsSearchKey": "header1",
		"created": "2020-09-28T00:26:54.7746089+00:00",
		"updated": "2020-09-28T00:26:57+00:00",
		"createdBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"updatedBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"description": "Watchlist from CSV content",
		"watchlistType": "watchlist",
		"watchlistAlias": "highValueAsset",
		"isDeleted": false,
		"labels": [
			"<string>"
		],
		"defaultDuration": "<string>",
		"tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd",
		"numberOfLinesToSkip": 871
	}
}

Workflow Library Example

Create or Update Watchlist with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop