Watchlist is now Generally Available

Published Jul 12 2021 11:13 AM 4,132 Views

Today we are announcing the General Availability (GA) of Azure Sentinel Watchlist to all regions!


Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. 




Get started today with these watchlist use cases:

  • Import data from csv for analytic rules & hunting. Utilize the watchlist name/value pairs for joining and filtering for use in analytic rules, threat hunting, workbooks, notebooks and for general queries. For a full list of the functionalities and the step-by-step instructions, refer to the official documentation.
  • Update your watchlist using the new user interface. Add new or update existing watchlist items via an Excel-like grid. Add/remove columns from the UI for better usability. See article for more information. 
  • Automate watchlist operations with playbooks. Leverage in Logic App playbooks as part of your security automation story for incidents, alerts, etc. Click here for a two part tutorial and also check out the playbooks in the GitHub repo link (look for all of the playbooks with "watchlist" in the name).
  • Automatically update IPs used by the major cloud providers. Using a watchlist function (link), create a watchlist for each cloud provider (Azure, AWS, GCP) and automatically update their respective IP ranges to enable allow-list or block-lists detections or for queries and reports.
  • Deploy via ARM for bulk deployments. Use ARM templates for quick deployment scenarios as well as bulk deployments. Learn more here to get started with links and examples. 
  • Import watchlist with curated IOCs. Use watchlist ARM templates for curating and sharing non-Sentinel data across workspaces. Check out the Watchlist section in our GitHub repo for examples like this one for Nobelium cyber attack.


Azure Sentinel Watchlist Team

Regular Visitor

In the post it says "Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. ".

I am getting issues with slow queries. For example, we have 348 watchlists elements, some of them being older than 128 days (they were created during the public preview). Log Analytics takes about 8 seconds to retrieve these 348 elements, this causes some of the Analytics Rules queries to fail.

Please, does anyone know if maybe I have to recreate these old elements created during the public/private preview? or how Sentinel manages the storing of the watchlists elements?

Thank you in advance.


The API for ingesting data into the watchlists was changed for the GA release.  So I would normally recommend recreating the watchlist so that you are using the latest version that includes the SearchKey field. That said, if you don't mind, I would rather you create a support incident via a Azure technical support ticket so we can troubleshoot. We will need the workspace id to do that. Even with the API change, you shouldn't experience any notable change in performance.

Version history
Last update:
‎Jul 12 2021 11:11 AM
Updated by: