Manage watchlists in Microsoft Sentinel
We recommend you edit an existing watchlist instead of deleting and recreating a watchlist. Log analytics has a five-minute SLA for data ingestion. If you delete and recreate a watchlist, you might see both the deleted and recreated entries in Log Analytics during this five-minute window. If you see these duplicate entries in Log Analytics for a longer period of time, submit a support ticket.
Edit a watchlist item
Edit a watchlist to edit or add an item to the watchlist.
Go to the Azure portal, under Configuration, select Watchlist.
Select the watchlist you want to edit.
On the details pane, select Update watchlist > Edit watchlist items.
To edit an existing watchlist item,
Select the checkbox of that watchlist item.
Edit the item.
Select Save.
Select Yes at the confirmation prompt.
To add a new item to your watchlist,
Select Add new.
Fill in the fields of the Add watchlist item panel.
At the bottom of that panel, select Add.
Bulk update a watchlist
When you have many items to add to a watchlist, use bulk update. A bulk update of a watchlist appends items to the existing watchlist. Then, it de-duplicates the items in the watchlist where all the value in each column match.
If you've deleted an item from your watchlist file and upload it, bulk update won't delete the item in the existing watchlist. Delete the watchlist item individually. Or, when you have a lot of deletions, delete and recreate the watchlist.
The updated watchlist file you upload must contain the search key field used by the watchlist with no blank values.
To bulk update a watchlist,
Go to the Azure portal, under Configuration, select Watchlist.
Select the watchlist you want to edit.
On the details pane, select Update watchlist > Bulk update.
Under Upload file, drag and drop or browse to the file to upload.
If you get an error, fix the issue in the file. Then select Reset and try the file upload again.
Select Next: Review and update > Update.
Related content
To learn more about Microsoft Sentinel, see the following articles:
- Use watchlists in Microsoft Sentinel
- Get started detecting threats with Microsoft Sentinel.
- Use workbooks to monitor your data.