Skip to content

Commit 9bc13cb

Browse files
batamigbatamig
committed
watchlists-part1
1 parent 8a1c304 commit 9bc13cb

File tree

1 file changed

+12
-18
lines changed

1 file changed

+12
-18
lines changed

articles/sentinel/watchlists.md

Lines changed: 12 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,10 @@
11
---
2-
title: Watchlists in Microsoft Sentinel
3-
titleSuffix: Microsoft Sentinel
4-
description: Learn how watchlists allow you to correlate data with events and when to use them in Microsoft Sentinel.
5-
author: cwatson-cat
6-
ms.author: cwatson
2+
title: Use Watchlists to Correlate and Enrich Event Data in Microsoft Sentinel
3+
description: Learn how to use watchlists in Microsoft Sentinel to efficiently correlate and enrich event data, reduce alert fatigue, and respond to threats. Discover best practices and get started today.
4+
author: batamig
5+
ms.author: bagol
76
ms.topic: concept-article
8-
ms.date: 3/14/2024
7+
ms.date: 05/27/2025
98
appliesto:
109
- Microsoft Sentinel in the Microsoft Defender portal
1110
- Microsoft Sentinel in the Azure portal
@@ -18,21 +17,19 @@ ms.collection: usx-security
1817

1918
# Watchlists in Microsoft Sentinel
2019

21-
Watchlists in Microsoft Sentinel allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. For example, you might create a watchlist with a list of high-value assets, terminated employees, or service accounts in your environment.
20+
Watchlists in Microsoft Sentinel help security analysts efficiently correlate and enrich event data. They give you a flexible way to manage reference data, like lists of high-value assets or terminated employees. Integrate watchlists into your detection rules, threat hunting, and response workflows to reduce alert fatigue and respond to threats faster. This article explains how to use watchlists in Microsoft Sentinel, outlines key scenarios and limitations, and gives guidance on creating and querying watchlists to enhance your security operations.
2221

23-
Use watchlists in your search, detection rules, threat hunting, and response playbooks.
24-
25-
Watchlists are stored in your Microsoft Sentinel workspace in the `Watchlist` table as name-value pairs and are cached for optimal query performance and low latency.
22+
Use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace in the `Watchlist` table as name-value pairs. They're cached for optimal query performance and low latency.
2623

2724
> [!IMPORTANT]
2825
> The features for watchlist templates and the ability to create a watchlist from a file in Azure Storage are currently in **PREVIEW**. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
2926
>
3027
3128
## When to use watchlists
3229

33-
Use watchlists to help you with following scenarios:
30+
Use watchlists in these scenarios:
3431

35-
- **Investigate threats** and respond to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. After you import the data, use watchlist name-value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries.
32+
- **Investigate threats** and respond to incidents quickly by importing IP addresses, file hashes, and other data from CSV files. After you import the data, use watchlist name-value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and queries.
3633

3734
- **Import business data** as a watchlist. For example, import user lists with privileged system access, or terminated employees. Then, use the watchlist to create allowlists and blocklists to detect or prevent those users from logging in to the network.
3835

@@ -53,7 +50,7 @@ Before you create a watchlist, be aware of the following limitations:
5350
- File uploads from an Azure Storage account (in preview) are currently limited to files up to 500 MB in size.
5451
- Watchlists must adhere to the same column and table restrictions as KQL entities. For more information, see [KQL entity names](/kusto/query/schema-entities/entity-names?view=microsoft-sentinel&preserve-view=true).
5552

56-
## Options to create watchlists
53+
## Ways to create watchlists in Microsoft Sentinel
5754

5855
Create a watchlist in Microsoft Sentinel from a file you upload from a local folder or from a file in your Azure Storage account.
5956

@@ -126,13 +123,10 @@ See more information on the following items used in the preceding examples, in t
126123

127124
[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
128125

129-
## Next steps
126+
## Related content
130127

131-
To learn more about Microsoft Sentinel, see the following articles:
128+
For more information, see:
132129

133130
- [Create watchlists](watchlists-create.md)
134131
- [Build queries and detection rules with watchlists](watchlists-queries.md)
135132
- [Manage watchlists](watchlists-manage.md)
136-
- Learn how to [get visibility into your data and potential threats](get-visibility.md).
137-
- Get started [detecting threats with Microsoft Sentinel](./detect-threats-built-in.md).
138-
- [Use workbooks](monitor-your-data.md) to monitor your data.

0 commit comments

Comments
 (0)