Microsoft Sentinel Watchlists
List Watchlists
You can get details of the Watchlists in your workspace with ‘list_watchlists’.
See list_watchlists
sentinel.list_watchlists()
Create Watchlists
New watchlists can be created with create_watchlist. A number of things are needed when creating a new watchlist. -watchlist_name: The name of the Watchlist you want to create. -description: A description of the Watchlist to be created. -search_key: The search key is used to optimize query performance when using watchlists for joins with other data. This should be the key column that will be used in the Watchlist when joining to other data tables. -provider: This is the label attached to the Watchlist showing who created it, by default “MSTICPy” -source: The source of the data to be put in the watchlist, by default “Notebook” -data: A dataframe with the data you want to upload to the watchlist. This must include a column with the same name as the search_key specified.
An error will be raised if the Watchlist name already exists.
sentinel.create_watchlist(watchlist_name="Custom Watchlist",
description="A Watchlist created from a notebook",
search_key="IPAddress",
data = df,
)
Items in a Watchlist
You can get the items in a Watchlist with list_watchlist_items. Call this and pass it the name of the watchlist to get items from.
See list_watchlist_items
sentinel.list_watchlist_items(watchlist_name="Custom Watchlist")
Each row in the returned DataFrame will represent an item in the Watchlist, and will include details such as who created it and when. Columns containing the data items from the Watchlist are prefixed with ‘properties.itemsKeyValue.’.
You can also add items to a Watchlist with add_watchlist_item by passing in a Watchlist name and the items to add. The items to add can be in the form of a Pandas Series, DataFrame or as a dictionary of items.
See add_watchlist_item
sentinel.add_watchlist_item(watchlist_name="Custom Watchlist",
item={"IPAddress": "13.107.6.152", "Location": "USA"}
)
An error will be raised if the item you are trying to add already exists in the Watchlist.
Delete Watchlists
Existing Watchlists can be deleted with delete_watchlist by passing it the Watchlist name to be deleted.
See delete_watchlist
sentinel.delete_watchlist(watchlist_name="Custom Watchlist")