How to update watchlist dynamically as opposed to manually updating csv and importing it again

jeffazure
Copper Contributor
Aug 19, 2021
When it works : https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/bc-p/2663990/highlight/true#M1638
caitlin2250
Copper Contributor
Jul 19, 2021
Hi Clive just wanted to check if is it possible to use a domain for a watchlist column instead of FQDN. I am able to use the FQDN successfully but using the domain yields not results. Will appreciate if you could please confirm with me.

Thank you
Caitlin
- JBUB_Accelerynt
  Brass Contributor
  Jul 19, 2021
  Domain works fine for our use. We have a ARM template to deploy the watchlist as well as a playbook that works.
- CliveWatson
  Former Employee
  Jul 19, 2021
  You create the watchlist, so you can have a column called whatever you like with whatever data you like. Ideally you'd match the column names from the Table to ones in the watchlist to make any join() easier. The two sides just need to match, and be case sensitive.
  
  i.e if your Watchlist has a column called Domain that contains "microsoft.com" you'd be able to match to "microsoft.com" in a query.
caitlin2250
Copper Contributor
Jul 15, 2021
thank you very much Clive for all your help. I know from the code you provided me I am able to pull information from different departments using a Watch but I am now looking for how to achieve that in a cross workspace environment. Would that be possible?
Look forward to hearing from you soon
Caitlin

Forum Discussion