I recently found myself needing to create some Azure watchlists using Bicep templates.

As there did not seem to be much documentation about this, and my lacking understanding of child resources in Bicep, this took way longer then it needed to be, so i figured I would document this.

Microsoft Bicep Watchlist Reference: Bicep Reference

Quick Comments about the template

A Watchlist cannot be empty, so you need to some example value. The Source property does not seem to to do anything, but for whatever reason needs to be "Remote Storage" or "Local File".

Deploy with new Workspace

This caused me some confusion because in the Azure portal watchlists can only be accessed from the Sentinel workspace. As such one may think it would be a child resource for the Sentinel workspace. It is in fact not, but a child resource of log analytics. This then requires some advanced-ish Bicep usage as this is a child resource of the log analytics workspace, but also depends on the sentinel solution.

Example template for deploying Log Analytics workspace, with Sentinel and a Watchlist.

 
//api docs https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=bicep

// The workspace name can contain only letters, numbers and '-'. The '-' shouldn't be the first or the last symbol.
param workspacename string
param location string = 'norwayeast'
param retentionInDays int = 365

// Log analytics workspace
resource loganalyticsworkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: '${workspacename}LA'
  location: location
  properties: {
    sku: {
      name: 'PerGB2018'
    }
    retentionInDays: retentionInDays
  }
} 
// End of Log Analytics workspace

// Sentinel
resource sentinelsolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
  name: 'SecurityInsights(${loganalyticsworkspace.name})'
  location: location
  plan: {
    name: 'SecurityInsights(${loganalyticsworkspace.name})'
    product: 'OMSGallery/SecurityInsights'
    publisher: 'Microsoft'
    promotionCode: ''
  }
  properties: {
    workspaceResourceId: loganalyticsworkspace.id
  }  
}

resource watchlist1 'Microsoft.SecurityInsights/watchlists@2021-04-01' = {
  name: 'list1'
  scope: loganalyticsworkspace
  dependsOn: [
    sentinelsolution
  ]
  properties: {
    contentType: 'text/csv'
    defaultDuration: '30'
    description: 'test1'
    displayName: 'test1'
    isDeleted: false
    itemsSearchKey: 'ExampleSearchKey'
    numberOfLinesToSkip: 0
    provider: 'Whatever'
    rawContent: 'ExampleSearchKey\nExampleValue'
    source: 'Remote storage'
    watchlistAlias: 'TST1'
  }
}

Deploy to existing workspaces

The template is pretty simple, however the parent value needs to be a resource datatype, not just a string. This is why you need the placeholder of the existing workspace.

param workspacename string

resource loganalyticsworkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
  name: workspacename

}
resource watchlist1 'Microsoft.SecurityInsights/watchlists@2021-04-01' = {
  name: 'list2'
  scope: loganalyticsworkspace
  properties: {
    contentType: 'text/csv'
    defaultDuration: '30' 
    description: 'test2'
    displayName: 'test2'
    itemsSearchKey: 'ExampleSearchKey'
    numberOfLinesToSkip: 0
    provider: 'Whatever'
    rawContent: 'ExampleSearchKey\nExampleValue'
    source: 'Local file'
    watchlistAlias: 'TST2'
  }
}