Watchlist File Upload: Supported File Types

Supported File Types for Watchlist Uploads

Question

What type of files can you upload to a Watchlist?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A.

Home > Azure Sentinel >

Watchlist wizard ~ x

General Source Review and Create

Results Preview | First 50 rows and first 5 columns of country_codes.csv
Select a type for the dataset

‘CountryName code
CSV file with a header (sv)
Afghanistan AF
Number of lines before row with headings
Albania AL
0
Algeria oz
Upload file
‘American Samoa AS
© country codes.csv
Andorra AD
Angola 40
Anguilla Al
Antarctica AQ
Drag and drop the files or Browse for files ‘Antigua and Barbuda AG
Argentina AR
SearchKey field *
Code Vv Armenia AM

The Searchkey is used to optimize query performance when using watchlists for joins
with other data. For example, enable a column with IP addresses to be the designated
SearchKey field, then use this field to join in other event tables by IP address, Learn
more and get examples about Searchkey

Next: Review and Creat

Reference:

In Microsoft Defender for Endpoint, a Watchlist is a collection of indicators that you can monitor for signs of malicious activity. You can upload a list of indicators to a Watchlist so that Defender for Endpoint can continuously monitor those indicators for any signs of compromise.

When it comes to the types of files you can upload to a Watchlist, there are certain requirements and limitations.

According to Microsoft documentation, you can upload a CSV file with a header to a Watchlist. The CSV file should have two columns: one for the indicator type (e.g., IP address, domain name, file hash) and one for the indicator value. The header row should include the column names "IndicatorType" and "IndicatorValue".

For example, if you wanted to create a Watchlist for known malicious IP addresses, your CSV file might look like this:

IndicatorType,IndicatorValue IP address,192.168.0.1 IP address,10.0.0.2 IP address,172.16.0.5

In addition to CSV files with a header, you can also upload .txt files to a Watchlist. However, these files must be formatted in a specific way. Each indicator should be on a separate line, and there should be no header row.

For example, if you wanted to create a Watchlist for known malicious domains, your .txt file might look like this:

malware.com evilcorp.net badware.org

As for the other options listed in the answer choices:

  • JSON is not a valid format for Watchlist files in Defender for Endpoint.
  • While there may be other file formats that can be used to store Watchlist data, the Microsoft documentation specifically mentions CSV with a header and .txt files as the supported file types. Therefore, we cannot say for certain that all file formats are accepted.

In conclusion, the correct answer to this question is A. You can upload CSV files with a header and .txt files to a Watchlist in Defender for Endpoint.