Microsoft.SecurityInsights watchlists

Bicep resource definition

The watchlists resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/watchlists resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/watchlists@2025-01-01-preview' = {
  scope: resourceSymbolicName or scope
  etag: 'string'
  name: 'string'
  properties: {
    contentType: 'string'
    created: 'string'
    createdBy: {
      objectId: 'string'
    }
    defaultDuration: 'string'
    description: 'string'
    displayName: 'string'
    isDeleted: bool
    itemsSearchKey: 'string'
    labels: [
      'string'
    ]
    numberOfLinesToSkip: int
    provider: 'string'
    provisioningState: 'string'
    rawContent: 'string'
    source: 'string'
    sourceType: 'string'
    tenantId: 'string'
    updated: 'string'
    updatedBy: {
      objectId: 'string'
    }
    uploadStatus: 'string'
    watchlistAlias: 'string'
    watchlistId: 'string'
    watchlistType: 'string'
  }
}

Property values

Microsoft.SecurityInsights/watchlists

Name Description Value
etag Etag of the azure resource string
name The resource name string (required)
properties Watchlist properties WatchlistProperties
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.

UserInfo

Name Description Value
objectId The object id of the user. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

WatchlistProperties

Name Description Value
contentType The content type of the raw content. Example : text/csv or text/tsv string
created The time the watchlist was created string
createdBy Describes a user that created the watchlist UserInfo
defaultDuration The default duration of a watchlist (in ISO 8601 duration format) string
description A description of the watchlist string
displayName The display name of the watchlist string (required)
isDeleted A flag that indicates if the watchlist is deleted or not bool
itemsSearchKey The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. string (required)
labels List of labels relevant to this watchlist string[]
numberOfLinesToSkip The number of lines in a csv/tsv content to skip before the header int
provider The provider of the watchlist string (required)
provisioningState The triggered analytics rule run provisioning state 'Accepted'
'Canceled'
'Failed'
'InProgress'
'Succeeded'
rawContent The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint string
source The filename of the watchlist, called 'source' string
sourceType The sourceType of the watchlist 'Local file'
'Remote storage'
tenantId The tenantId where the watchlist belongs to string
updated The last time the watchlist was updated string
updatedBy Describes a user that updated the watchlist UserInfo
uploadStatus The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted string
watchlistAlias The alias of the watchlist string
watchlistId The id (a Guid) of the watchlist string
watchlistType The type of the watchlist string

ARM template resource definition

The watchlists resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/watchlists resource, add the following JSON to your template.

{
  "type": "Microsoft.SecurityInsights/watchlists",
  "apiVersion": "2025-01-01-preview",
  "name": "string",
  "etag": "string",
  "properties": {
    "contentType": "string",
    "created": "string",
    "createdBy": {
      "objectId": "string"
    },
    "defaultDuration": "string",
    "description": "string",
    "displayName": "string",
    "isDeleted": "bool",
    "itemsSearchKey": "string",
    "labels": [ "string" ],
    "numberOfLinesToSkip": "int",
    "provider": "string",
    "provisioningState": "string",
    "rawContent": "string",
    "source": "string",
    "sourceType": "string",
    "tenantId": "string",
    "updated": "string",
    "updatedBy": {
      "objectId": "string"
    },
    "uploadStatus": "string",
    "watchlistAlias": "string",
    "watchlistId": "string",
    "watchlistType": "string"
  }
}

Property values

Microsoft.SecurityInsights/watchlists

Name Description Value
apiVersion The api version '2025-01-01-preview'
etag Etag of the azure resource string
name The resource name string (required)
properties Watchlist properties WatchlistProperties
type The resource type 'Microsoft.SecurityInsights/watchlists'

UserInfo

Name Description Value
objectId The object id of the user. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

WatchlistProperties

Name Description Value
contentType The content type of the raw content. Example : text/csv or text/tsv string
created The time the watchlist was created string
createdBy Describes a user that created the watchlist UserInfo
defaultDuration The default duration of a watchlist (in ISO 8601 duration format) string
description A description of the watchlist string
displayName The display name of the watchlist string (required)
isDeleted A flag that indicates if the watchlist is deleted or not bool
itemsSearchKey The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. string (required)
labels List of labels relevant to this watchlist string[]
numberOfLinesToSkip The number of lines in a csv/tsv content to skip before the header int
provider The provider of the watchlist string (required)
provisioningState The triggered analytics rule run provisioning state 'Accepted'
'Canceled'
'Failed'
'InProgress'
'Succeeded'
rawContent The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint string
source The filename of the watchlist, called 'source' string
sourceType The sourceType of the watchlist 'Local file'
'Remote storage'
tenantId The tenantId where the watchlist belongs to string
updated The last time the watchlist was updated string
updatedBy Describes a user that updated the watchlist UserInfo
uploadStatus The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted string
watchlistAlias The alias of the watchlist string
watchlistId The id (a Guid) of the watchlist string
watchlistType The type of the watchlist string

Terraform (AzAPI provider) resource definition

The watchlists resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/watchlists resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.SecurityInsights/watchlists@2025-01-01-preview"
  name = "string"
  parent_id = "string"
  etag = "string"
  body = jsonencode({
    properties = {
      contentType = "string"
      created = "string"
      createdBy = {
        objectId = "string"
      }
      defaultDuration = "string"
      description = "string"
      displayName = "string"
      isDeleted = bool
      itemsSearchKey = "string"
      labels = [
        "string"
      ]
      numberOfLinesToSkip = int
      provider = "string"
      provisioningState = "string"
      rawContent = "string"
      source = "string"
      sourceType = "string"
      tenantId = "string"
      updated = "string"
      updatedBy = {
        objectId = "string"
      }
      uploadStatus = "string"
      watchlistAlias = "string"
      watchlistId = "string"
      watchlistType = "string"
    }
  })
}

Property values

Microsoft.SecurityInsights/watchlists

Name Description Value
etag Etag of the azure resource string
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
properties Watchlist properties WatchlistProperties
type The resource type "Microsoft.SecurityInsights/watchlists@2025-01-01-preview"

UserInfo

Name Description Value
objectId The object id of the user. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

WatchlistProperties

Name Description Value
contentType The content type of the raw content. Example : text/csv or text/tsv string
created The time the watchlist was created string
createdBy Describes a user that created the watchlist UserInfo
defaultDuration The default duration of a watchlist (in ISO 8601 duration format) string
description A description of the watchlist string
displayName The display name of the watchlist string (required)
isDeleted A flag that indicates if the watchlist is deleted or not bool
itemsSearchKey The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. string (required)
labels List of labels relevant to this watchlist string[]
numberOfLinesToSkip The number of lines in a csv/tsv content to skip before the header int
provider The provider of the watchlist string (required)
provisioningState The triggered analytics rule run provisioning state 'Accepted'
'Canceled'
'Failed'
'InProgress'
'Succeeded'
rawContent The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint string
source The filename of the watchlist, called 'source' string
sourceType The sourceType of the watchlist 'Local file'
'Remote storage'
tenantId The tenantId where the watchlist belongs to string
updated The last time the watchlist was updated string
updatedBy Describes a user that updated the watchlist UserInfo
uploadStatus The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted string
watchlistAlias The alias of the watchlist string
watchlistId The id (a Guid) of the watchlist string
watchlistType The type of the watchlist string