Watchlists - Get
Get a watchlist, without its watchlist items.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}?api-version=2024-09-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
|
watchlist
|
path | True |
string |
The watchlist alias |
|
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get a watchlist.
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset?api-version=2024-09-01
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset",
"name": "highValueAsset",
"type": "Microsoft.SecurityInsights/Watchlists",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017",
"displayName": "High Value Assets Watchlist",
"provider": "Microsoft",
"source": "watchlist.csv",
"sourceType": "Local file",
"created": "2020-09-28T00:26:54.7746089+00:00",
"updated": "2020-09-28T00:26:57+00:00",
"createdBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john@contoso.com",
"name": "john doe"
},
"updatedBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john@contoso.com",
"name": "john doe"
},
"description": "Watchlist from CSV content",
"watchlistType": "watchlist",
"watchlistAlias": "highValueAsset",
"itemsSearchKey": "header1",
"isDeleted": false,
"labels": [
"Tag1",
"Tag2"
],
"defaultDuration": "P1279DT12H30M5S",
"tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd"
}
}Definitions
| Name | Description |
|---|---|
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
|
Provisioning |
Describes provisioning state |
|
source |
The sourceType of the watchlist |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
User |
User information that made some action |
| Watchlist |
Represents a Watchlist in Azure Security Insights. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
ProvisioningState
Describes provisioning state
| Name | Type | Description |
|---|---|---|
| Canceled |
string |
The Canceled provisioning state. |
| Deleting |
string |
The Deleting provisioning state. |
| Failed |
string |
The Failed provisioning state. |
| InProgress |
string |
The InProgress provisioning state. |
| New |
string |
The New provisioning state. |
| Succeeded |
string |
The Succeeded provisioning state. |
| Uploading |
string |
The Uploading provisioning state. |
sourceType
The sourceType of the watchlist
| Name | Type | Description |
|---|---|---|
| Local file |
string |
The source from local file. |
| Remote storage |
string |
The source from remote storage. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
UserInfo
User information that made some action
| Name | Type | Description |
|---|---|---|
|
string |
The email of the user. |
|
| name |
string |
The name of the user. |
| objectId |
string |
The object id of the user. |
Watchlist
Represents a Watchlist in Azure Security Insights.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.contentType |
string |
The content type of the raw content. Example : text/csv or text/tsv |
| properties.created |
string |
The time the watchlist was created |
| properties.createdBy |
Describes a user that created the watchlist |
|
| properties.defaultDuration |
string |
The default duration of a watchlist (in ISO 8601 duration format) |
| properties.description |
string |
A description of the watchlist |
| properties.displayName |
string |
The display name of the watchlist |
| properties.isDeleted |
boolean |
A flag that indicates if the watchlist is deleted or not |
| properties.itemsSearchKey |
string |
The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. |
| properties.labels |
string[] |
List of labels relevant to this watchlist |
| properties.numberOfLinesToSkip |
integer |
The number of lines in a csv/tsv content to skip before the header |
| properties.provider |
string |
The provider of the watchlist |
| properties.provisioningState |
Describes provisioning state |
|
| properties.rawContent |
string |
The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint |
| properties.source |
string |
The filename of the watchlist, called 'source' |
| properties.sourceType |
The sourceType of the watchlist |
|
| properties.tenantId |
string |
The tenantId where the watchlist belongs to |
| properties.updated |
string |
The last time the watchlist was updated |
| properties.updatedBy |
Describes a user that updated the watchlist |
|
| properties.uploadStatus |
string |
The status of the Watchlist upload : New, InProgress or Complete. Note : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted |
| properties.watchlistAlias |
string |
The alias of the watchlist |
| properties.watchlistId |
string |
The id (a Guid) of the watchlist |
| properties.watchlistType |
string |
The type of the watchlist |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |