Microsoft.OperationalInsights (preview:2022-12-01)

2025/03/11 • 3 updated methods

Watchlists_List (updated)
Description Gets all watchlists, without watchlist items.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_List",
  "$responses": {
    "200": {
      "$properties": {
        "value": {
          "$properties": {
            "properties": [
              {
                "#name": "sourceType",
                "Enum": {
                  "new": [
                    [
                      "Local",
                      ""
                    ],
                    [
                      "AzureStorage",
                      ""
                    ]
                  ],
                  "old": [
                    [
                      "Local file",
                      ""
                    ],
                    [
                      "Remote storage",
                      ""
                    ]
                  ]
                }
              }
            ]
          }
        }
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
$skipToken:
{
Description: Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. ,
Required: False ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of watchlists. ,
Required: False ,
}
string ,
value:
{
Description: Array of watchlist. ,
Required: True ,
}
[
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: No description available. ,
AzureStorage: No description available. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Watchlists_Get (updated)
Description Gets a watchlist, without its watchlist items.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_Get",
  "$responses": {
    "200": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ],
              "old": [
                [
                  "Local file",
                  ""
                ],
                [
                  "Remote storage",
                  ""
                ]
              ]
            }
          }
        ]
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: Watchlist Alias ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: No description available. ,
AzureStorage: No description available. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Watchlists_CreateOrUpdate (updated)
Description Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with either rawContent or a valid SAR URI and contentType properties. The rawContent is mainly used for small watchlist (content size below 3.8 MB). The SAS URI enables the creation of large watchlist, where the content size can go up to 500 MB. The status of processing such large file can be polled through the URL returned in Azure-AsyncOperation header.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_CreateOrUpdate",
  "$parameters": {
    "watchlist": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ],
              "old": [
                [
                  "Local file",
                  ""
                ],
                [
                  "Remote storage",
                  ""
                ]
              ]
            }
          }
        ]
      }
    }
  },
  "$responses": {
    "200": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ],
              "old": [
                [
                  "Local file",
                  ""
                ],
                [
                  "Remote storage",
                  ""
                ]
              ]
            }
          }
        ]
      }
    },
    "201": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ],
              "old": [
                [
                  "Local file",
                  ""
                ],
                [
                  "Remote storage",
                  ""
                ]
              ]
            }
          }
        ]
      }
    }
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: Watchlist Alias ,
Required: True ,
}
string ,
watchlist:
{
Description: The watchlist ,
Required: True ,
}
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: No description available. ,
AzureStorage: No description available. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: No description available. ,
AzureStorage: No description available. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
}
,
}

⚐ Response (201)

{
$headers:
{
azure-asyncoperation:
{
Description: Contains the status URL on which clients are expected to poll the status of the operation. ,
}
string ,
}
,
$schema:
{
Description: Represents a Watchlist in Azure Security Insights. ,
}
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: No description available. ,
AzureStorage: No description available. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}