Microsoft.SecurityInsights watchlists
- Latest
- 2025-01-01-preview
- 2024-10-01-preview
- 2024-09-01
- 2024-04-01-preview
- 2024-03-01
- 2024-01-01-preview
- 2023-12-01-preview
- 2023-11-01
- 2023-10-01-preview
- 2023-09-01-preview
- 2023-08-01-preview
- 2023-07-01-preview
- 2023-06-01-preview
- 2023-05-01-preview
- 2023-04-01-preview
- 2023-03-01-preview
- 2023-02-01
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-04-01
- 2021-03-01-preview
- 2019-01-01-preview
Bicep resource definition
The watchlists resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/watchlists resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/watchlists@2025-01-01-preview' = {
scope: resourceSymbolicName or scope
etag: 'string'
name: 'string'
properties: {
contentType: 'string'
created: 'string'
createdBy: {
objectId: 'string'
}
defaultDuration: 'string'
description: 'string'
displayName: 'string'
isDeleted: bool
itemsSearchKey: 'string'
labels: [
'string'
]
numberOfLinesToSkip: int
provider: 'string'
provisioningState: 'string'
rawContent: 'string'
source: 'string'
sourceType: 'string'
tenantId: 'string'
updated: 'string'
updatedBy: {
objectId: 'string'
}
uploadStatus: 'string'
watchlistAlias: 'string'
watchlistId: 'string'
watchlistType: 'string'
}
}
Property values
Microsoft.SecurityInsights/watchlists
Name | Description | Value |
---|---|---|
etag | Etag of the azure resource | string |
name | The resource name | string (required) |
properties | Watchlist properties | WatchlistProperties |
scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
UserInfo
Name | Description | Value |
---|---|---|
objectId | The object id of the user. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
WatchlistProperties
Name | Description | Value |
---|---|---|
contentType | The content type of the raw content. Example : text/csv or text/tsv | string |
created | The time the watchlist was created | string |
createdBy | Describes a user that created the watchlist | UserInfo |
defaultDuration | The default duration of a watchlist (in ISO 8601 duration format) | string |
description | A description of the watchlist | string |
displayName | The display name of the watchlist | string (required) |
isDeleted | A flag that indicates if the watchlist is deleted or not | bool |
itemsSearchKey | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | string (required) |
labels | List of labels relevant to this watchlist | string[] |
numberOfLinesToSkip | The number of lines in a csv/tsv content to skip before the header | int |
provider | The provider of the watchlist | string (required) |
provisioningState | The triggered analytics rule run provisioning state | 'Accepted' 'Canceled' 'Failed' 'InProgress' 'Succeeded' |
rawContent | The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint | string |
source | The filename of the watchlist, called 'source' | string |
sourceType | The sourceType of the watchlist | 'Local file' 'Remote storage' |
tenantId | The tenantId where the watchlist belongs to | string |
updated | The last time the watchlist was updated | string |
updatedBy | Describes a user that updated the watchlist | UserInfo |
uploadStatus | The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted | string |
watchlistAlias | The alias of the watchlist | string |
watchlistId | The id (a Guid) of the watchlist | string |
watchlistType | The type of the watchlist | string |
ARM template resource definition
The watchlists resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/watchlists resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/watchlists",
"apiVersion": "2025-01-01-preview",
"name": "string",
"etag": "string",
"properties": {
"contentType": "string",
"created": "string",
"createdBy": {
"objectId": "string"
},
"defaultDuration": "string",
"description": "string",
"displayName": "string",
"isDeleted": "bool",
"itemsSearchKey": "string",
"labels": [ "string" ],
"numberOfLinesToSkip": "int",
"provider": "string",
"provisioningState": "string",
"rawContent": "string",
"source": "string",
"sourceType": "string",
"tenantId": "string",
"updated": "string",
"updatedBy": {
"objectId": "string"
},
"uploadStatus": "string",
"watchlistAlias": "string",
"watchlistId": "string",
"watchlistType": "string"
}
}
Property values
Microsoft.SecurityInsights/watchlists
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2025-01-01-preview' |
etag | Etag of the azure resource | string |
name | The resource name | string (required) |
properties | Watchlist properties | WatchlistProperties |
type | The resource type | 'Microsoft.SecurityInsights/watchlists' |
UserInfo
Name | Description | Value |
---|---|---|
objectId | The object id of the user. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
WatchlistProperties
Name | Description | Value |
---|---|---|
contentType | The content type of the raw content. Example : text/csv or text/tsv | string |
created | The time the watchlist was created | string |
createdBy | Describes a user that created the watchlist | UserInfo |
defaultDuration | The default duration of a watchlist (in ISO 8601 duration format) | string |
description | A description of the watchlist | string |
displayName | The display name of the watchlist | string (required) |
isDeleted | A flag that indicates if the watchlist is deleted or not | bool |
itemsSearchKey | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | string (required) |
labels | List of labels relevant to this watchlist | string[] |
numberOfLinesToSkip | The number of lines in a csv/tsv content to skip before the header | int |
provider | The provider of the watchlist | string (required) |
provisioningState | The triggered analytics rule run provisioning state | 'Accepted' 'Canceled' 'Failed' 'InProgress' 'Succeeded' |
rawContent | The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint | string |
source | The filename of the watchlist, called 'source' | string |
sourceType | The sourceType of the watchlist | 'Local file' 'Remote storage' |
tenantId | The tenantId where the watchlist belongs to | string |
updated | The last time the watchlist was updated | string |
updatedBy | Describes a user that updated the watchlist | UserInfo |
uploadStatus | The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted | string |
watchlistAlias | The alias of the watchlist | string |
watchlistId | The id (a Guid) of the watchlist | string |
watchlistType | The type of the watchlist | string |
Terraform (AzAPI provider) resource definition
The watchlists resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/watchlists resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/watchlists@2025-01-01-preview"
name = "string"
parent_id = "string"
etag = "string"
body = jsonencode({
properties = {
contentType = "string"
created = "string"
createdBy = {
objectId = "string"
}
defaultDuration = "string"
description = "string"
displayName = "string"
isDeleted = bool
itemsSearchKey = "string"
labels = [
"string"
]
numberOfLinesToSkip = int
provider = "string"
provisioningState = "string"
rawContent = "string"
source = "string"
sourceType = "string"
tenantId = "string"
updated = "string"
updatedBy = {
objectId = "string"
}
uploadStatus = "string"
watchlistAlias = "string"
watchlistId = "string"
watchlistType = "string"
}
})
}
Property values
Microsoft.SecurityInsights/watchlists
Name | Description | Value |
---|---|---|
etag | Etag of the azure resource | string |
name | The resource name | string (required) |
parent_id | The ID of the resource to apply this extension resource to. | string (required) |
properties | Watchlist properties | WatchlistProperties |
type | The resource type | "Microsoft.SecurityInsights/watchlists@2025-01-01-preview" |
UserInfo
Name | Description | Value |
---|---|---|
objectId | The object id of the user. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
WatchlistProperties
Name | Description | Value |
---|---|---|
contentType | The content type of the raw content. Example : text/csv or text/tsv | string |
created | The time the watchlist was created | string |
createdBy | Describes a user that created the watchlist | UserInfo |
defaultDuration | The default duration of a watchlist (in ISO 8601 duration format) | string |
description | A description of the watchlist | string |
displayName | The display name of the watchlist | string (required) |
isDeleted | A flag that indicates if the watchlist is deleted or not | bool |
itemsSearchKey | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | string (required) |
labels | List of labels relevant to this watchlist | string[] |
numberOfLinesToSkip | The number of lines in a csv/tsv content to skip before the header | int |
provider | The provider of the watchlist | string (required) |
provisioningState | The triggered analytics rule run provisioning state | 'Accepted' 'Canceled' 'Failed' 'InProgress' 'Succeeded' |
rawContent | The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint | string |
source | The filename of the watchlist, called 'source' | string |
sourceType | The sourceType of the watchlist | 'Local file' 'Remote storage' |
tenantId | The tenantId where the watchlist belongs to | string |
updated | The last time the watchlist was updated | string |
updatedBy | Describes a user that updated the watchlist | UserInfo |
uploadStatus | The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted | string |
watchlistAlias | The alias of the watchlist | string |
watchlistId | The id (a Guid) of the watchlist | string |
watchlistType | The type of the watchlist | string |