KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel Watchlists

Query

# Sentinel - Watchlist

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Stable](https://img.shields.io/badge/status-stable-brightgreen.svg)

## Query Information

### Description

This query provides a Sentiel Watchlst inventory. It provides details about the watchlist name, last updated timestamp and the # of entries in the watchlist. 

#### References

### Author

- **Alex Verboon**

## Sentinel

```kql
Watchlist
| where TimeGenerated > ago(720d)
| summarize
   ListCount          = dcount(WatchlistItemId)-1,
   WatchlistId        = any(WatchlistId),
   any_CreatedTimeUTC = any(CreatedTimeUTC),
   any_UpdatedTimeUTC = any(LastUpdatedTimeUTC),
   any_CreatedBy      = any(CreatedBy),
   any_UpdatedBy      = any(UpdatedBy), 
   any_WatchListAlias = any(WatchlistAlias),
   any_WatchlistName = any(WatchlistName)
 by WatchlistAlias
| extend
   WatchListAlias = any_WatchListAlias,
   WatchlistName = any_WatchlistName,
   CreatedTimeUTC     = any_CreatedTimeUTC,
   LastUpdatedTimeUTC = any_UpdatedTimeUTC,
   Created_name       = tostring(any_CreatedBy.name),
   Created_objectId   = tostring(any_CreatedBy.objectId),
   Updated_name       = tostring(any_UpdatedBy.name),
   Updated_objectId   = tostring(any_UpdatedBy.objectId)
| project
   WatchlistId,
   WatchListAlias,
   WatchlistName,
   CreatedTimeUTC,
   LastUpdatedTimeUTC,
   ListCount,
   Created_name,
   Created_objectId,
   Updated_name,
   Updated_objectId
| order by WatchListAlias asc
```

Explanation

This KQL query is designed to provide an inventory of watchlists in Microsoft Sentinel. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing the Watchlist table, which contains information about various watchlists.

  2. Time Filter: It filters the data to include only entries generated in the last 720 days.

  3. Aggregation: The query summarizes the data by WatchlistAlias, calculating:

    • ListCount: The number of unique items in each watchlist, minus one.
    • WatchlistId: An identifier for the watchlist.
    • CreatedTimeUTC and LastUpdatedTimeUTC: The times when the watchlist was created and last updated.
    • CreatedBy and UpdatedBy: Information about who created and last updated the watchlist.
    • WatchlistAlias and WatchlistName: The alias and name of the watchlist.

  4. Data Transformation: It extends the summarized data to extract and format specific fields, such as the names and object IDs of the creators and updaters.

  5. Projection: The query selects specific columns to display in the final output, including the watchlist ID, alias, name, creation and update times, and creator/updater details.

  6. Sorting: Finally, it orders the results alphabetically by WatchListAlias.

In summary, this query provides a detailed overview of watchlists in Sentinel, including metadata about their creation and updates, and organizes the information for easy review.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 20, 2026

Tables

Watchlist

Keywords

WatchlistTimeGeneratedWatchlistItemIdWatchlistIdCreatedTimeUTCLastUpdatedTimeUTCCreatedByUpdatedByWatchlistAliasWatchlistNameCreatedNameCreatedObjectIdUpdatedNameUpdatedObjectId

Operators

Watchlistwhereagosummarizedcountanybyextendtostringprojectorder by

Actions