---
title: Watchlists
description: Watchlists let you define and manage groups of entities that are important to your organization — such as executives or critical infrastructure hosts...
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/watchlists
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Planned
  - Elastic Stack: Generally available since 9.4
---

# Watchlists
<admonition title="Requirements">
  This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in Elastic Stack or [project feature tier](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/deploy-manage/deploy/elastic-cloud/project-settings) in Serverless.
</admonition>

Watchlists let you define and manage groups of entities that are important to your organization — such as executives or critical infrastructure hosts — and factor watchlist membership directly into entity risk scoring. This keeps your most critical entities visible and easy to find during threat investigations. Watchlists sync automatically every 10 minutes to reflect changes in the underlying data sources.
Watchlists replace the [Privileged user monitoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/privileged-user-monitoring) feature. No data is migrated from existing privileged user monitoring configurations; you set up watchlists from scratch.

## Default watchlist

A **Privileged Users** watchlist is available by default. It automatically pulls in administrative users from your [Active Directory Entity Analytics](https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/entityanalytics_ad) and [Okta Entity Analytics](https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/entityanalytics_okta) integrations, so you don't need to manually define these users.

## Risk weighting

Each watchlist has a configurable risk weighting that influences the risk scores of its members. When an entity belongs to a watchlist, the risk scoring engine applies the watchlist's risk weighting using a Bayesian update — either increasing or decreasing the alert-based risk score depending on the configured weight.
For example, assigning a higher risk weighting to a watchlist of executives means that suspicious activity involving those users scores higher and surfaces sooner during investigations.
To learn how watchlist weighting fits into the overall risk score calculation, refer to [Entity risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/entity-risk-scoring).

## Create a watchlist

To create a watchlist:
1. Find the **Entity Analytics** management page in the main menu or by using the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/explore-analyze/find-and-organize/find-apps-and-objects).
2. Go to the **Watchlists** tab.
3. Click **Create watchlist**.
4. Enter a name and, optionally, a description.
5. Set a **Risk Score Weighting** using the slider.
6. Under **Rule Based Data Sources**, define which entities belong to this watchlist:
   - **Entity Store**: Filter existing entities in the entity store using KQL syntax.
- **IndexPattern**: Select an index pattern, apply a KQL filter, and choose the field used to identify entities.
7. Click **Save**.

An entity can belong to more than one watchlist.

## View and manage watchlists

The **Watchlists** tab displays all watchlists in the current Kibana space. You can edit and delete individual watchlists using the icons in the relevant watchlist row.

## Filter entities by watchlist

On the [Entity analytics page](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/solutions/security/advanced-entity-analytics/overview), you can filter the **Entities** section by watchlist membership to focus on the entities most relevant to your investigation.

## Known limitations

- Up to 10,000 entities can be defined per data source.
- You cannot remove entities from a watchlist using CSV upload; use the [Entity Analytics API](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-entity-analytics-api) instead.