watchlist data retention limitation

AbbyMSFT · AbbyMSFT · commit 9fbed4f9a415 · 2025-05-28T14:37:39.000+03:00
diff --git a/articles/sentinel/watchlists-create.md b/articles/sentinel/watchlists-create.md
@@ -2,10 +2,10 @@
 title: Create new watchlists
 titleSuffix: Microsoft Sentinel
 description: Create watchlist in Microsoft Sentinel for allowlists or blocklists, to enrich event data, and help investigate threats.
-author: cwatson-cat
-ms.author: cwatson
+author: batamig
+ms.author: bagol
 ms.topic: how-to
-ms.date: 3/14/2024
+ms.date: 05/28/2025
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -24,6 +24,8 @@ Upload a watchlist file from a local folder or from your Azure Storage account.
 
 Local file uploads are currently limited to files of up to 3.8 MB in size. A file that's over 3.8 MB in size and up to 500 MB is considered a [large watchlist](#create-a-large-watchlist-from-file-in-azure-storage-preview). Upload the file to an Azure Storage account. Before you create a watchlist, review the [limitations of watchlists](watchlists.md#limitations-of-watchlists).
 
+Watchlist data is retained for 28 days. 
+
 > [!IMPORTANT]
 > The features for watchlist templates and the ability to create a watchlist from a file in Azure Storage are currently in **PREVIEW**. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
diff --git a/articles/sentinel/watchlists.md b/articles/sentinel/watchlists.md
@@ -2,10 +2,10 @@
 title: Watchlists in Microsoft Sentinel
 titleSuffix: Microsoft Sentinel
 description: Learn how watchlists allow you to correlate data with events and when to use them in Microsoft Sentinel.
-author: cwatson-cat
-ms.author: cwatson
+author: batamig
+ms.author: bagol
 ms.topic: concept-article
-ms.date: 3/14/2024
+ms.date: 05/28/2025
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -45,6 +45,7 @@ Use watchlists to help you with following scenarios:
 Before you create a watchlist, be aware of the following limitations:
 
 - When you create a watchlist, the watchlist name and alias must each be between 3 and 64 characters. The first and last characters must be alphanumeric. But you can include whitespaces, hyphens, and underscores in between the first and last characters.
+- Watchlist data is retained for 28 days. 
 - The use of watchlists should be limited to reference data, as they aren't designed for large data volumes.
 - The **total number of active watchlist items** across all watchlists in a single workspace is currently limited to **10 million**. Deleted watchlist items don't count against this total. If you require the ability to reference large data volumes, consider ingesting them using [custom logs](/azure/azure-monitor/agents/data-sources-custom-logs) instead.
 - Watchlists are refreshed in your workspace every 12 days, updating the `TimeGenerated` field.
