Customers have continually requested the ability to update Microsoft Sentinel Watchlists en masse instead of manually adding a handful of new items at a time.
I know that there are many Microsoft Sentinel customers that are reluctant – or even prohibited by policy – to use preview features in production. Those customers can now take advantage of full Watchlists updating because today, the bulk update capability for Watchlists is now generally available.
The bulk update uses the exact same wizard-type method to update existing Watchlists, so you don’t have to learn anything new. This enables customers to maintain an external .csv file and then periodically re-import the file and only the new records will be imported.
Full docs on Bulk Updating Watchlists: https://cda.ms/3S3
Understandably, this is still a manual process, but the bulk updating is better than single record updating. Many customers have also requested that even this process be automated further so that if the source changes, the Watchlist is update automatically. But, with this feature in place, that capability is much closer to fruition. And, quite possibly, a Playbook could be used to provide that functionality now. If you’re keen to pioneer this, let me know.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
