Watchlist
In Sentinel, you generally interact with data by ingesting logs through data connectors, but you can also access data stored in Watchlists. Watchlists can be useful when performing investigations, looking up items from an analytic rule or workbook, and various other tasks in Sentinel.
You can access Watchlists from the KQL by using _GetWatchlist('watchlistName') in your KQL, there is an example provided below.
let privateRelayIps = (_GetWatchlist('privateRelayIps') | project IPRange);
SignInlogs
| where ipv4_is_in_range(IPAddress, privateRelayIps)
Since this is accessible in KQL you can use them as needed in the query editor, with analytic rules, and also directly from a Logic app without using KQL.
An interesting element about Watchlists, is they cost money subject to your ingestion pricing. So they are not free but at the limits of watchlist size they are relatively cheap. An element of them that goes unnoticed however is data in Watchlists is refreshed every 12 days. So you actually pay a recurring charge on them every 12 days. The reason for this is analytic rules can only interact with data up to 14 days old, so by refreshing the Watchlist you can reference them continuously in analytic rules.
There is a great article by another security expert here that explores various options and cost implications. I think generally speaking you are fine with Watchlists, but I put some theoretical calculations for the cost of a Watchlist below. The costs are from February 11th, 2025 for West US 2.
| File type | Size | Ingestion price | Initial Cost | Cost after 90 days | Cost after 365 days |
|---|---|---|---|---|---|
| Local file | 1 MB | $4.30 | $0.004 | $0.036 | $0.13 |
| Local file | 3.8 MB | $4.30 | $0.016 | $0.14 | $0.50 |
| Azure storage file | 10 MB | $4.30 | $0.042 | $0.36 | $1.32 |
| Azure storage file | 500 MB | $4.30 | $2.10 | $17.85 | $65.96 |
As you can see, depending on watchlist size the price can add up slowly as time passes.