I want to create a watchlist in my Sentinel workspace
im getting the following error:
what is the correct way to use this module to create a watchlist?
pretend i have this object below and i want to turn it into a watchlist
{
"value": [
{
"ip": "185.241.208.232"
},
{
"ip": "194.26.192.64"
},
{
"ip": "171.25.193.25"
},
{
"ip": "80.67.167.81"
}
]
}
I am able to create a watchlist using the below workflow
{
"description": "A watchlist containing IP addresses",
"displayName": "MyIPWatchlist",
"itemsSearchKey": "ip",
"rawContent": "@{body('Create_CSV_table')}"
}
Code -
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Create_CSV_table": {
"inputs": {
"format": "CSV",
"from": "@variables('IpAddresses')"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Table"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IpAddresses",
"type": "array",
"value": [
{
"ip": "185.241.208.232"
},
{
"ip": "194.26.192.64"
},
{
"ip": "171.25.193.25"
},
{
"ip": "80.67.167.81"
}
]
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Watchlists_-_Create_a_new_Watchlist_with_data_(Raw_Content)": {
"inputs": {
"body": {
"description": "A watchlist containing IP addresses",
"displayName": "MyIPWatchlist",
"itemsSearchKey": "ip",
"rawContent": "@{body('Create_CSV_table')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Watchlists/subscriptions/@{encodeURIComponent('b83c1*******23f')}/resourceGroups/@{encodeURIComponent('*******')}/workspaces/@{encodeURIComponent('0497f*******cef')}/watchlists/@{encodeURIComponent('afreen-watchlist')}"
},
"runAfter": {
"Create_CSV_table": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"manual": {
"inputs": {},
"kind": "Http",
"type": "Request"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "/subscriptions/b8***********3f/resourceGroups/*******/providers/Microsoft.Web/connections/azuresentinel",
"connectionName": "azuresentinel",
"id": "/subscriptions/b8**********3f/providers/Microsoft.Web/locations/eastus/managedApis/azuresentinel"
}
}
}
}
}
Output-