แก้ไข

แชร์ผ่าน


Manage watchlists in Microsoft Sentinel

We recommend you edit an existing watchlist instead of deleting and recreating a watchlist. Log analytics has a five-minute SLA for data ingestion. If you delete and recreate a watchlist, you might see both the deleted and recreated entries in Log Analytics during this five-minute window. If you see these duplicate entries in Log Analytics for a longer period of time, submit a support ticket.

Important

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Edit a watchlist item

Edit a watchlist to edit or add an item to the watchlist.

  1. For Microsoft Sentinel in the Azure portal, under Configuration, select Watchlist.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Watchlist.

  2. Select the watchlist you want to edit.

  3. On the details pane, select Update watchlist > Edit watchlist items.

    Screenshot of the edit watchlist option at the bottom of the details pane.

  4. To edit an existing watchlist item,

    1. Select the checkbox of that watchlist item.

    2. Edit the item.

    3. Select Save.

      Screenshot showing how to mark and edit a watchlist item.

    4. Select Yes at the confirmation prompt.

      Screenshot of the prompt to confirm your changes.

  5. To add a new item to your watchlist,

    1. Select Add new.

      Screenshot of the new button at the top of the edit watchlist items page.

    2. Fill in the fields of the Add watchlist item panel.

    3. At the bottom of that panel, select Add.

Bulk update a watchlist

When you have many items to add to a watchlist, use bulk update. A bulk update of a watchlist appends items to the existing watchlist. Then, it de-duplicates the items in the watchlist where all the value in each column match.

If you've deleted an item from your watchlist file and upload it, bulk update won't delete the item in the existing watchlist. Delete the watchlist item individually. Or, when you have a lot of deletions, delete and recreate the watchlist.

The updated watchlist file you upload must contain the search key field used by the watchlist with no blank values.

To bulk update a watchlist,

  1. For Microsoft Sentinel in the Azure portal, under Configuration, select Watchlist.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Watchlist.

  2. Select the watchlist you want to edit.

  3. On the details pane, select Update watchlist > Bulk update.

    Screenshot of the bulk update option on the bottom of the details pane.

  4. Under Upload file, drag and drop or browse to the file to upload.

    Screenshot of the watchlist wizard source page where you select the file to upload and the search key field is disabled.

  5. If you get an error, fix the issue in the file. Then select Reset and try the file upload again.

  6. Select Next: Review and update > Update.

To learn more about Microsoft Sentinel, see the following articles: