Forum Discussion
Sentinel Watchlist stuck in queued state for days...
Dear Members,
I recently read https://cryptsus.com/blog/enrich-geolocation-sentinel-siem.html how on how to do geolocation of IPv4 addresses in Sentinel efficiently.
The Azure API with the 100 addresses/user/day rate limit simply does not cut it.
Just as the article recommended, I uploaded the merged csv file as an Azure blob, and created the watchlist. Now the watchlist has been sitting in Queued state for 4 days, and apparently nothing is happening (no data has been loaded to it from the csv file). There are no other visible tasks running in parallel, and I can't even delete the watchlist, as no data has been downloaded to it.
In the past I had a watchlist that I deleted, but even that took 8 hours to download, and then 8 hours to delete. Far from ideal...
Is there anything I can do about this? Or is this a known behavior for watchlists in Sentinel? Or should I try to contact Support?
Thanks,
János
- Hi there,
I spoke with Microsoft support who cleared the queued watchlists in a few different workspaces. They confirmed that there was no option for me to do this from the Azure Portal and if it happens again to just contact them to fix.
Bit of an odd one.
10 Replies
In the meantime, due to an unrelated issue, my watchlists were cleared, along with other things, so I had to recreate the watchlists in a new Sentinel instance in a new resource group, with the CSVs residing in a different storage account.
This time everything worked flawlessly, so my original problem is no more.Thanks to everyone for trying to help, and sharing their thoughts.
After three weeks there is still no change...
My watchlists are still sitting in queued state.- Hi there,
I spoke with Microsoft support who cleared the queued watchlists in a few different workspaces. They confirmed that there was no option for me to do this from the Azure Portal and if it happens again to just contact them to fix.
Bit of an odd one.- It's good that you got this fixed, and the update is appreciated. Thank you
- If you still have this problem, I think you will have to open a support request with Microsoft.
- How big is the Watchlist - certain limit apply? https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/large-watchlist-using-sas-key-is-in-public-preview/ba-p/3242370#:~:text=How%20to%20create%20a%20large%20watchlist%20To%20create,Microsoft%20Sentinel%20to%20securely%20retrieve%20the%20watchlist%20data.
