Create a watchlist

To create a watchlist from the Azure portal perform these steps:

1. Go to Microsoft Sentinel > Configuration > Watchlist and select Add new.

   

2. On the General page, provide the name, description, and alias for the watchlist, then select Next.

3. On the Source page, select the dataset type, upload a file, then select Next.

   Note

   File uploads are currently limited to files of up to 3.8 MB in size.

4. Review the information, and verify that it's correct. Then select Create. A notification appears once the watchlist is ready.

To use the watchlist data in KQL, use the KQL function _GetWatchlist('watchlist name').

_GetWatchlist('HighValueMachines')