MS Sentinel: How to easily find associated queries when deleting a watchlist.

ben_loy 25 Reputation points
2023-03-22T07:29:34.77+00:00

Hello,

When trying to delete a watchlist from my workspace, a message pops up telling me to make sure I don't break any related query.

Is there a non-manual and easy way to find a watchlist's related queries? I can't find anything on the "watchlists" page.
User's image

Thanks in advance!

Ben

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,371 Reputation points Microsoft Employee
    2023-03-23T17:06:50.9533333+00:00

    @ben_loy

    Thank you for your post!

    Message:
    Are you sure you want to delete this watchlist name...? Please make sure to review and update associated Analytics and Hunting Queries that reference the selected watchlist(s) to avoid potential query errors.

    I understand you're trying to delete your MS Sentinel Watchlist and are running into the above delete message. Because of this message, you'd like to know if there's an easy (non-manual) way to find what queries are referencing your watchlist, so you don't run into any issues. From our documentation and looking through my Sentinel environment, I was only able to find manual solutions such as looking through each analytics rule or hunting query.

    I've reached out to our Sentinel team to see if they can share any insights to help resolve your issue or point you in the right direction and will update as soon as possible.

    In the meantime, besides looking through each analytics rule or hunting query, you can try querying the SentinelAudit table since it captures events related to changes made on your analytics rules. You can see if any of your analytics rules were recently updated to include your watchlist. 

    //Replace CountryCode with your Watchlist name
SentinelAudit 
| where ExtendedProperties contains "CountryCode"

//If you need to ensure the Query has your watchlist
//| project ExtendedProperties

//You can also try this within the Security Alert table

SecurityAlert 
| where ExtendedProperties contains "CountryCode"

    User's image

    For more info:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ayomide Oluwaga 946 Reputation points
    2023-03-22T07:33:55.3366667+00:00

    When you delete a watchlist in Azure Sentinel, any queries that use that watchlist will break. To find which queries use a specific watchlist, you can run a log search query in the Azure Sentinel workspace. The query will return logs that contain data from the specified watchlist. You can then check each query to see if it uses the watchlist in question. If you find queries that use the watchlist, you'll need to update them before deleting the watchlist.