Reusing Microsoft Sentinel Watchlists Across Tenants

Here’s a common question (just received it again today, in fact).

Q: Is it possible to do cross-tenant retrieval of watchlists?

A: Retrieving Watchlist content through API isn’t available yet and Repositories doesn’t support Watchlists. So, here’s suggestions of a couple things you could do:

[1] Query the Watchlist and export the results to a .csv. Then import the Watchlist into the other tenant…

Export Watchlist


[2] Maintain a single .csv somewhere externally (blob or local storage) that gets updated in some fashion and then imported directly into each tenant (possibly continuously through automation) using Bulk update using the API. API:

Have any other solutions for this? Let me know: @rodtrent


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]