Merge pull request #300479 from AbbyMSFT/watchlist-limitation

Watchlist data retention limitation

Author: prmerger-automator[bot]

articles/sentinel/watchlists-create.md

@@ -2,10 +2,10 @@
 title: Create new watchlists
 titleSuffix: Microsoft Sentinel
 description: Create watchlist in Microsoft Sentinel for allowlists or blocklists, to enrich event data, and help investigate threats.
-author: cwatson-cat
-ms.author: cwatson
+author: batamig
+ms.author: bagol
 ms.topic: how-to
-ms.date: 3/14/2024
+ms.date: 05/28/2025
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -24,6 +24,8 @@ Upload a watchlist file from a local folder or from your Azure Storage account.
 
 Local file uploads are currently limited to files of up to 3.8 MB in size. A file that's over 3.8 MB in size and up to 500 MB is considered a [large watchlist](#create-a-large-watchlist-from-file-in-azure-storage-preview). Upload the file to an Azure Storage account. Before you create a watchlist, review the [limitations of watchlists](watchlists.md#watchlist-limitations).
 
+Data in the Log Analytics Watchlist table is retained for 28 days.
+
 > [!IMPORTANT]
 > The features for watchlist templates and the ability to create a watchlist from a file in Azure Storage are currently in **PREVIEW**. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >

articles/sentinel/watchlists.md

@@ -46,6 +46,7 @@ We recommend reviewing the following limitations before creating watchlists:
 | **Watchlist name and alias length** | Watchlist names and aliases must be between 3 and 64 characters. First and last characters must be alphanumeric; spaces, hyphens, and underscores allowed between. |
 | **Intended use** | Use watchlists only for reference data. Watchlists aren't designed for large data volumes. |
 | **Maximum active watchlist items** | You can have a maximum of 10 million active watchlist items across all watchlists in a workspace. Deleted items don't count. For larger volumes, use [custom logs](/azure/azure-monitor/agents/data-sources-custom-logs). |
+| **Data retention**| Data in the Log Analytics Watchlist table is retained for 28 days.|
 | **Refresh interval** | Watchlists refresh every 12 days, updating the `TimeGenerated` field. |
 | **Cross-workspace management** | Managing watchlists across workspaces using Azure Lighthouse isn't supported. |
 | **Local file upload size** | Local file uploads are limited to files of up to 3.8 MB. |