Edit

Share via

Manage watchlists in Microsoft Sentinel

  • Applies to: Microsoft Sentinel in the Microsoft Defender portal, Microsoft Sentinel in the Azure portal

We recommend you edit an existing watchlist instead of deleting and recreating a watchlist. Log analytics has a five-minute SLA for data ingestion. If you delete and recreate a watchlist, you might see both the deleted and recreated entries in Log Analytics during this five-minute window. If you see these duplicate entries in Log Analytics for a longer period of time, submit a support ticket.

Important

Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license.

Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new customers are automatically onboarded and redirected to the Defender portal.

If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.

Edit a watchlist item

Edit a watchlist to edit or add an item to the watchlist.

  1. For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Watchlist. For Microsoft Sentinel in the Azure portal, under Configuration, select Watchlist.

  2. Select the watchlist you want to edit.

  3. On the details pane, select Update watchlist > Edit watchlist items.

    Screenshot of the edit watchlist option at the bottom of the details pane.

  4. To edit an existing watchlist item,

    1. Select the checkbox of that watchlist item.

    2. Edit the item.

    3. Select Save.

      Screenshot showing how to mark and edit a watchlist item.

    4. Select Yes at the confirmation prompt.

      Screenshot of the prompt to confirm your changes.

  5. To add a new item to your watchlist,

    1. Select Add new.

      Screenshot of the new button at the top of the edit watchlist items page.

    2. Fill in the fields of the Add watchlist item panel.

    3. At the bottom of that panel, select Add.

Bulk update a watchlist

When you have many items to add to a watchlist, use bulk update. A bulk update of a watchlist appends items to the existing watchlist. Then, it de-duplicates the items in the watchlist where all the value in each column match.

If you've deleted an item from your watchlist file and upload it, bulk update won't delete the item in the existing watchlist. Delete the watchlist item individually. Or, when you have a lot of deletions, delete and recreate the watchlist.

The updated watchlist file you upload must contain the search key field used by the watchlist with no blank values.

To bulk update a watchlist,

  1. For Microsoft Sentinel in the Azure portal, under Configuration, select Watchlist.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Watchlist.

  2. Select the watchlist you want to edit.

  3. On the details pane, select Update watchlist > Bulk update.

    Screenshot of the bulk update option on the bottom of the details pane.

  4. Under Upload file, drag and drop or browse to the file to upload.

    Screenshot of the watchlist wizard source page where you select the file to upload and the search key field is disabled.

  5. If you get an error, fix the issue in the file. Then select Reset and try the file upload again.

  6. Select Next: Review and update > Update.

Related content

To learn more about Microsoft Sentinel, see the following articles: