Skip to main content
Create or update a watchlist item.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Items Key ValueA JSON object that contains key-value pairs for a watchlist item.

For Example:

{
  “Gateway subnet”: “10.0.255.224/27”,
  “Web Tier”: “10.0.1.0/24”,
  “Business tier”: “10.0.2.0/24”,
  “Data tier”: “10.0.2.0/24”,
  “Private DMZ in”: “10.0.0.0/27”,
  “Public DMZ out”: “10.0.0.96/27”
}
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Watchlist AliasThe watchlist alias.
Watchlist Item IDThe ID of the watchlist item to create or update.

Note: To create a new watchlist item, a new generated GUID is required.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
Entity MappingA JSON object that represents a key-value map for a watchlist item entity mapping.
EtagThe Etag of the azure resource.
Properties Watchlist Item IDThe ID of the created or updated watchlist item.
Tenant IDThe tenant ID to which the watchlist belongs.
Watchlist Item TypeThe type of the created or updated watchlist item.

Example Output

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/82ba292c-dc97-4dfc-969d-d4dd9e666842",
	"etag": "0300bf09-0000-0000-0000-5c37296e0000",
	"type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems",
	"properties": {
		"watchlistItemType": "watchlist-item",
		"watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842",
		"tenantId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea",
		"isDeleted": false,
		"created": "2020-11-15T04:58:56.0748363+00:00",
		"updated": "2020-11-16T16:05:20+00:00",
		"createdBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"updatedBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"itemsKeyValue": {
			"Gateway subnet": "10.0.255.224/27",
			"Web Tier": "10.0.1.0/24",
			"Business tier": "10.0.2.0/24",
			"Data tier": "10.0.2.0/24",
			"Private DMZ in": "10.0.0.0/27",
			"Public DMZ out": "10.0.0.96/27"
		}
	}
}

Workflow Library Example

Create or Update Watchlist Item with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I