Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to update watchlist dynamically as opposed to manually updating csv and importing it again

Copper Contributor

Hello I have a watch list that works fine but the problem I have is that each time I want to add another component to the watchlist, I have to manually update the csv file, delete the existing Watchlist from Sentinel and reimport the Watchlist into Sentinel again.  I would like to find a way of updating the Watchlist dynamically but I am told that the feature is currently not available

 

Could anyone please confirm this with me.

Thanks Caitlin

8 Replies
thank you very much Clive for all your help. I know from the code you provided me I am able to pull information from different departments using a Watch but I am now looking for how to achieve that in a cross workspace environment. Would that be possible?
Look forward to hearing from you soon
Caitlin
Thank you very much for the pointers Rodtrent
Much appreciated
Hi Clive just wanted to check if is it possible to use a domain for a watchlist column instead of FQDN. I am able to use the FQDN successfully but using the domain yields not results. Will appreciate if you could please confirm with me.

Thank you
Caitlin
You create the watchlist, so you can have a column called whatever you like with whatever data you like. Ideally you'd match the column names from the Table to ones in the watchlist to make any join() easier. The two sides just need to match, and be case sensitive.

i.e if your Watchlist has a column called Domain that contains "microsoft.com" you'd be able to match to "microsoft.com" in a query.
Domain works fine for our use. We have a ARM template to deploy the watchlist as well as a playbook that works.