| _BilledSize |
|
Double |
| _DTItemId |
The Watchlist or Watchlist item unique ID. As an example, a Watchlist ‘RiskyUsers’ can contain Watchlist item ‘Name:John Doe; email:johndoe@contoso.com’. A Watchlist item has unique ID and belongs to a Watchlist. The containing Watchlist can identified using the ‘WatchlistId’. |
String |
| _DTItemStatus |
Was the Watchlist or Watchlist item created, updated or deleted by user. As an example, a Watchlist ‘RiskyUsers’ can contain Watchlist item ‘Name:John Doe; email:johndoe@contoso.com’. If a Watchlist is added, the the status would be ‘Created’. If the name of the Watchlist is updated from ‘RiskyUsers’ to ‘RiskyEmployees’ the status would be ‘Updated’. |
String |
| _DTItemType |
Distinguish between a Watchlist and a Watchlist item. As an example, a Watchlist ‘RiskyUsers’ can contain Watchlist item ‘Name:John Doe; email:johndoe@contoso.com’. A Watchlist item type will belong to a Watchlist type and the containing Watchlist can identified using the ‘WatchlistId’. |
String |
| _DTTimestamp |
The time (UTC) when the event was generated. |
DateTime |
| _IsBillable |
|
String |
| AzureTenantId |
The AAD tenant ID to which this Watchlist table belongs. |
String |
| CorrelationId |
The ID for correlated events. |
String |
| CreatedBy |
The JSON object with the user who created the Watchlist or Watchlist item, including: Object ID, email and name. |
Object |
| CreatedTimeUTC |
The time (UTC) when the Watchlist or Watchlist item was first created. |
DateTime |
| DefaultDuration |
The JSON object describing the default duration to live that each item of a Watchlist should inherit on creation. The default duration has this format : P(n)Y(n)M(n)DT(n)H(n)M(n)S, where P, Y, M, DT, H, M and S are invariant. For example, P3Y6M4DT12H30M9S represents a duration of three years, six months, four days, twelve hours, thirty minutes, and nine seconds. |
String |
| EntityMapping |
The JSON object with Azure Sentinel entity mapping to input columns. |
Object |
| LastUpdatedTimeUTC |
The time (UTC) when Watchlist or Watchlist item was last updated. |
DateTime |
| Notes |
The notes provided by user. |
String |
| Provider |
The input provider of the Watchlist. |
String |
| SearchKey |
The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address. |
String |
| Source |
The input source of the Watchlist. |
String |
| SourceSystem |
|
String |
| Tags |
The JSON array of tags provided by user. |
String |
| TenantId |
|
String |
| TimeGenerated |
The timestamp (UTC) of when the event was generated. |
DateTime |
| TimeToLive |
The time to live for a Watchlist record, expressed as a date and time of day (e.g. 2020-08-20T17:00:00.9618037Z). Its original value is inherited from Watchlist’s default duration. If TimeToLive passes, the record is considered deleted. A record’s duration can be extended at any time by updating the TimeToLive value. |
DateTime |
| Type |
The name of the table |
String |
| UpdatedBy |
The JSON object with the user who last updated the Watchlist or Watchlist item, including: Object ID, email and name. |
Object |
| WatchlistAlias |
The unique string referring to the Watchlist. |
String |
| WatchlistCategory |
The Watchlist category provided by user. |
String |
| WatchlistId |
The Resource Manager Watchlist resource name. |
String |
| WatchlistItem |
The JSON object with key-value pairs from the input Watchlist source. |
Object |
| WatchlistItemId |
The Watchlist item unique ID. |
String |
| WatchlistName |
The display name of Watchlist. |
String |