Thank you for your post!
Message:
Are you sure you want to delete this watchlist name...? Please make sure to review and update associated Analytics and Hunting Queries that reference the selected watchlist(s) to avoid potential query errors.
I understand you're trying to delete your MS Sentinel Watchlist and are running into the above delete message. Because of this message, you'd like to know if there's an easy (non-manual) way to find what queries are referencing your watchlist, so you don't run into any issues. From our documentation and looking through my Sentinel environment, I was only able to find manual solutions such as looking through each analytics rule or hunting query.
I've reached out to our Sentinel team to see if they can share any insights to help resolve your issue or point you in the right direction and will update as soon as possible.
In the meantime, besides looking through each analytics rule or hunting query, you can try querying the SentinelAudit table since it captures events related to changes made on your analytics rules. You can see if any of your analytics rules were recently updated to include your watchlist.
//Replace CountryCode with your Watchlist name
SentinelAudit
| where ExtendedProperties contains "CountryCode"
//If you need to ensure the Query has your watchlist
//| project ExtendedProperties
//You can also try this within the Security Alert table
SecurityAlert
| where ExtendedProperties contains "CountryCode"
For more info:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.