watchlists
Creates, updates, deletes, gets or lists a watchlists resource.
Overview
| Name | watchlists |
| Type | Resource |
| Id | azure.sentinel.watchlists |
Fields
The following fields are returned by SELECT queries:
- get
- list
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
properties | object | Watchlist properties |
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
properties | object | Watchlist properties |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | subscriptionId, resourceGroupName, workspaceName, watchlistAlias | Get a watchlist, without its watchlist items. | |
list | select | subscriptionId, resourceGroupName, workspaceName | $skipToken | Get all watchlists, without watchlist items. |
create_or_update | insert | subscriptionId, resourceGroupName, workspaceName, watchlistAlias | Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties. | |
delete | delete | subscriptionId, resourceGroupName, workspaceName, watchlistAlias | Delete a watchlist. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
resourceGroupName | string | The name of the resource group. The name is case insensitive. |
subscriptionId | string | The ID of the target subscription. |
watchlistAlias | string | The watchlist alias |
workspaceName | string | The name of the workspace. |
$skipToken | string | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. |
SELECT examples
- get
- list
Get a watchlist, without its watchlist items.
SELECT
etag,
properties
FROM azure.sentinel.watchlists
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND watchlistAlias = '{{ watchlistAlias }}' -- required
;
Get all watchlists, without watchlist items.
SELECT
etag,
properties
FROM azure.sentinel.watchlists
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND $skipToken = '{{ $skipToken }}'
;
INSERT examples
- create_or_update
- Manifest
Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties.
INSERT INTO azure.sentinel.watchlists (
data__etag,
data__properties,
subscriptionId,
resourceGroupName,
workspaceName,
watchlistAlias
)
SELECT
'{{ etag }}',
'{{ properties }}',
'{{ subscriptionId }}',
'{{ resourceGroupName }}',
'{{ workspaceName }}',
'{{ watchlistAlias }}'
RETURNING
etag,
properties
;
# Description fields are for documentation purposes
- name: watchlists
props:
- name: subscriptionId
value: string
description: Required parameter for the watchlists resource.
- name: resourceGroupName
value: string
description: Required parameter for the watchlists resource.
- name: workspaceName
value: string
description: Required parameter for the watchlists resource.
- name: watchlistAlias
value: string
description: Required parameter for the watchlists resource.
- name: etag
value: string
description: |
Etag of the azure resource
- name: properties
value: object
description: |
Watchlist properties
DELETE examples
- delete
Delete a watchlist.
DELETE FROM azure.sentinel.watchlists
WHERE subscriptionId = '{{ subscriptionId }}' --required
AND resourceGroupName = '{{ resourceGroupName }}' --required
AND workspaceName = '{{ workspaceName }}' --required
AND watchlistAlias = '{{ watchlistAlias }}' --required
;