Forum Discussion

Copper Contributor

Jul 13, 2021

How to update watchlist dynamically as opposed to manually updating csv and importing it again

Hello I have a watch list that works fine but the problem I have is that each time I want to add another component to the watchlist, I have to manually update the csv file, delete the existing Watchl...

CliveWatson

Former Employee

Jul 13, 2021

You can edit since last month.

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476

caitlin2250

Copper Contributor

Jul 19, 2021

Hi Clive just wanted to check if is it possible to use a domain for a watchlist column instead of FQDN. I am able to use the FQDN successfully but using the domain yields not results. Will appreciate if you could please confirm with me.

Thank you
Caitlin

JBUB_Accelerynt
Brass Contributor
Jul 19, 2021
Domain works fine for our use. We have a ARM template to deploy the watchlist as well as a playbook that works.
CliveWatson
Former Employee
Jul 19, 2021
You create the watchlist, so you can have a column called whatever you like with whatever data you like. Ideally you'd match the column names from the Table to ones in the watchlist to make any join() easier. The two sides just need to match, and be case sensitive.

i.e if your Watchlist has a column called Domain that contains "microsoft.com" you'd be able to match to "microsoft.com" in a query.