Azure Logic apps getting all Watchlist Items for a given watchlist

AbderrahmaneMechri
December 20, 2022
152 views
3 votes
3 Answers

I’m trying to get all Watchlist Items for a given watchlist using the connector ( which still in preview).

I have 150 elements in my Watchlist, I’m getting the first 100 items correctly but I’m not getting the 50 last items, I’m pretty sure that the connector is not handling the pagination, in the output I have a "nextlink", but I don’t know if I can use it to get the resting items.

Does anyone have a solution ?

Answers

Chosen as BEST ANSWER
- AbderrahmaneMechri
- December 21, 2022 at 12:53 pm
- 0 votes
0
I found a workaround using the Azure Monitor connector :

In the query I run "_GetWatchlist('Watchlistname')" to get all the watchlist items, this way I was able to get all the items correctly.

(Edit)

- MayankBargali
- December 21, 2022 at 7:54 am
- 0 votes
0
Sharing the same as discussed here.

Not all connector support pagination and the current supported connector for pagination are listed here. As Microsoft Sentinel is in still preview and there could be many enhancement/improvements to the connectors before it becomes GA. I will pass the feedback for this connector to support pagination, but I will also suggest you pass the feedback here.

The workaround would be query the nextLink to get the next items until the response doesn’t have the nextLink property in the resource. You can leverage the HTTP with Azure AD connector Get web resource action to make the nextLink call. As it is the management API call you can specify the https://management.azure.com as in the below screenshot and pass the nextLink value in the URL.

You need to convert the response $content property to base64ToString to get the actual string content.
Syntax: base64ToString(body(‘youractionname’)?[‘$content’])
Example: base64ToString(body(‘Get_web_resource’)?[‘$content’])

Login or Signup to reply.

- vijaya
- December 21, 2022 at 10:11 am
- 0 votes
0
The same issue raised by MattBurrows there is a limitation that only gets the first 100.

Microsoft Sentinel Watchlist

AFAIK still the watchlist connector in preview and there could be many improvements to be done.

Referrer this Document for Pagination support as
Not all connector support pagination.
```
in the output I have a "nextlink", but I don't know if I can use it to get the resting items.
```
For this query the nextLink to get the next items until the response doesn’t have the nextLink property in the resource as MayankBargali-MSFT as mentioned in microsoft Q&A

The other way may it supports is to retrieve all elements is use For each action for Watchlists-Get all watchlist items for a given watchlist(preview)
Here for sample data i am taking Get blob content action and then in For each retrieved output from previous step and used it in Watchlist action.

Reference link
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.