[Security Solution] Add Sentinel watchlist lookup ingestion (elastic#269726)

## Summary

Adds Microsoft Sentinel watchlist ingestion to the SIEM rule migration
lookup upload flow. Sentinel watchlist ARM exports are validated in the
UI, uploaded as raw JSON, normalized in the backend, and ingested
through the existing generic processLookups path.

This supports both direct watchlist ARM resources and one-resource ARM
deployment templates, rejects unsupported non-CSV watchlists,
denormalizes only the itemsSearchKey column, and stores itemsSearchKey
in resource metadata.

## Sentinal Watchlist handling

Sentinel watchlists are exported as ARM JSON resources, with the actual
lookup data stored as CSV in `properties.rawContent` ( See
[example](https://github.com/Azure/Azure-Sentinel/blob/840f0f490c3509335821e2030deca714d00c2760/Solutions/Network%20Session%20Essentials/Watchlists/NetworkSession_Monitor_Configuration.json#L13)
).

During upload, Kibana validates the ARM JSON, extracts the CSV, parses
it into rows, and converts the watchlist into a normal lookup resource.

However, before creating the Elastic lookup index, it denormalizes the
Sentinel `itemsSearchKey` column. In simple terms, if the search key
cell contains multiple comma-separated values, Kibana creates one lookup
row per value.

For the Network Session Essentials example, the watchlist declares:

```json
{
  "watchlistAlias": "NetworkSession_Monitor_Configuration",
  "itemsSearchKey": "Ports",
  "contentType": "text/csv"
}
```

That means `Ports` is the field rules search against, so only `Ports` is
denormalized.

### Watchlist before normalization

| Ports | App | Name |
|---|---|---|
| `389,636` | `*` | `Suspicious LDAP Traffic` |
| `3389` | `*` | `Suspicious Remote Desktop Network Traffic` |
| `9150,9151` | `tor` | `Suspicious TOR Traffic` |
| `139,445` | `smb` | `Suspicious SMB Traffic` |

### Watchlist after normalization

| Ports | App | Name |
|---|---|---|
| `389` | `*` | `Suspicious LDAP Traffic` |
| `636` | `*` | `Suspicious LDAP Traffic` |
| `3389` | `*` | `Suspicious Remote Desktop Network Traffic` |
| `9150` | `tor` | `Suspicious TOR Traffic` |
| `9151` | `tor` | `Suspicious TOR Traffic` |
| `139` | `smb` | `Suspicious SMB Traffic` |
| `445` | `smb` | `Suspicious SMB Traffic` |

### Why denormalization is needed

In the Sentinel rule export
`network_session_essentials_rules_export.arm.json`, the KustoQL query
loads the watchlist, splits comma-separated fields, expands them, and
then joins event data against the expanded mapping:

```kusto
let mapping = _GetWatchlist('NetworkSession_Monitor_Configuration')
    | where Type == "Detection" and ThresholdType == "Static" and Severity != "Disabled"
    | extend Ports = split(Ports, ",")
    | mv-expand Ports
    | extend Ports = tostring(Ports);
```

This works in KustoQL because the query can build a temporary `mapping`
table, transform the watchlist inline, expand multi-value cells with
`mv-expand`, and join using a flexible condition like `Ports has
tostring(DstPortNumber)`.

ES|QL lookup joins are more constrained. `LOOKUP JOIN` joins against a
stored lookup index, not an inline transformed table, and lookup join
fields with multi-valued entries do not match. So a lookup document
where `Ports` is `"389,636"` will not behave like two separate values
when joining against an event port such as `389`.

Denormalizing during ingestion moves that transformation out of the
query and into lookup index creation. The migrated ES|QL can then use a
normal lookup join because each searchable port value exists as its own
lookup row.


## Test plan

### Cypress coverage

- ✅ TC1: Create a Microsoft Sentinel migration and identify missing
watchlists in the `Upload watchlists` step.

  Steps:
1. Log in to Kibana and go to **Security** → **Automatic migrations** →
**Manage Automatic Migrations**.
2. Open **Migrate your existing SIEM rules to Elastic** and click
**Upload rules**.
3. In the **Upload SIEM rules** flyout, choose **Microsoft Sentinel**
from **Select migration source**.
4. In **Upload rules**, select a Sentinel Analytics Rules ARM JSON
export that references a watchlist.
  5. Click **Upload**.

  Expectations:
  1. The rules upload succeeds.
  2. The flyout advances to **Upload watchlists**.
3. The watchlist step explains that watchlists were found in the
uploaded rules.
4. The missing watchlist list includes the Sentinel watchlist name, for
example `HighValueAccounts` or `NetworkSession_Monitor_Configuration`
depending on the fixture.
5. The flow does not show Splunk-only macro wording for the Sentinel
migration source.

- ✅ TC2: Upload a valid Microsoft Sentinel watchlist ARM export from the
UI.

  Steps:
1. Log in to Kibana and go to **Security** → **Automatic migrations** →
**Manage Automatic Migrations**.
2. Create or open a Microsoft Sentinel rule migration that is waiting on
**Upload watchlists**.
  3. In the **Upload SIEM rules** flyout, go to **Upload watchlists**.
4. In the watchlist file picker labeled **Select or drag and drop the
exported watchlist files**, select a valid Sentinel watchlist ARM
export.
  5. Click **Upload**.

  Expectations:
  1. The watchlist upload succeeds.
2. The uploaded watchlist is accepted as a Sentinel watchlist resource.
  3. The missing watchlist is marked as resolved in the list.
4. The **Translate** button is available so the user can continue the
migration.
  5. No watchlist parsing or unsupported content type error is shown.

- ✅ TC4: Show a user-facing error for unsupported Sentinel watchlist
content types.

  Steps:
1. Log in to Kibana and go to **Security** → **Automatic migrations** →
**Manage Automatic Migrations**.
2. Click **Upload rules** and create a Microsoft Sentinel migration by
uploading a Sentinel Analytics Rules ARM JSON export that references a
watchlist.
  3. Wait for the flyout to advance to **Upload watchlists**.
4. Select a Sentinel watchlist ARM JSON file where
`properties.contentType` is `application/json` instead of `text/csv`.
  5. Click **Upload**.

  Expectations:
1. The upload fails with a visible error for unsupported Sentinel
watchlist content type.
  2. The watchlist remains unresolved in the missing watchlist list.
  3. The user stays in the **Upload watchlists** step.
  4. The user can choose another file and retry.
  5. No lookup index is created from the unsupported watchlist file.

- ✅ TC5: Show a user-facing error for invalid Sentinel watchlist JSON.

  Steps:
1. Log in to Kibana and go to **Security** → **Automatic migrations** →
**Manage Automatic Migrations**.
2. Click **Upload rules** and create a Microsoft Sentinel migration by
uploading a Sentinel Analytics Rules ARM JSON export that references a
watchlist.
  3. Wait for the flyout to advance to **Upload watchlists**.
  4. In the watchlist file picker, select a malformed JSON file.
5. Repeat with a valid JSON file that is not a Sentinel watchlist ARM
resource or one-resource ARM deployment template.

  Expectations:
  1. Malformed JSON shows **Sentinel watchlist must be valid JSON.**
2. Wrong-schema JSON shows the Sentinel watchlist ARM/template
validation error.
  3. No watchlist is marked as uploaded.
  4. The user remains on **Upload watchlists**.
5. The user can remove the invalid file and retry with a valid Sentinel
watchlist export.

Cypress spec:
`x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/investigations/siem_migrations/rules/sentinel_onboarding.cy.ts`


### Checklist

- [x] Any text added follows EUI writing guidelines, uses sentence case
text and includes i18n support
- [ ] Documentation was added for features that require explanation or
tutorials
- [x] Unit or functional tests were updated or added to match the most
common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the docker list
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee
- [ ] Flaky Test Runner was used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct release_note label is applied per the guidelines
- [ ] Review the backport guidelines and apply applicable backport
labels.

### Identify risks

- [ ] See the risk examples in RISK_MATRIX.mdx
- [x] Low risk: Sentinel watchlist uploads are newly handled on the
existing resources endpoint. Existing Splunk and QRadar lookup behavior
remains on the existing generic lookup path.
- [x] Low risk: malformed Sentinel ARM resources or unsupported
contentType values are rejected with 400 responses rather than being
ingested.
- [x] Low risk: denormalization changes only the Sentinel itemsSearchKey
column before lookup index creation and is covered by unit and FTR API
tests.

### Release note

> Adds Microsoft Sentinel watchlist upload support to SIEM rule
migrations.

Suggested label: release_note:enhancement

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: logeekal

x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/common.gen.ts

@@ -19,6 +19,7 @@ import { z, lazySchema } from '@kbn/zod/v4';
 import { NonEmptyString } from '../../api/model/primitives.gen';
 import { SplunkResourceType } from './vendor/common/splunk.gen';
 import { QradarResourceType } from './vendor/common/qradar.gen';
+import { SentinelResourceType } from './vendor/common/sentinel.gen';
 
 /**
  * The GenAI connector id to use.
@@ -284,10 +285,13 @@ export const MigrationTaskStats = lazySchema(() =>
 );
 export type MigrationTaskStats = z.infer<typeof MigrationTaskStats>;
 
-export const SiemMigrationResourceType = lazySchema(() =>
-  z.union([SplunkResourceType, QradarResourceType])
+export const SiemMigrationResourceTypeInternal = lazySchema(() =>
+  z.union([SplunkResourceType, QradarResourceType, SentinelResourceType])
 );
-export type SiemMigrationResourceType = z.infer<typeof SiemMigrationResourceType>;
+
+export type SiemMigrationResourceType = z.infer<typeof SiemMigrationResourceTypeInternal>;
+export const SiemMigrationResourceType =
+  SiemMigrationResourceTypeInternal as z.ZodType<SiemMigrationResourceType>;
 
 /**
  * A resource of a migration

x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/common.schema.yaml

@@ -239,11 +239,12 @@ components:
           type: integer
           description: The number of items that have failed migration.
 
-    ## should be combination of SplunkResourceType and QradarResourceType types in vendor folder
+    ## should be combination of SplunkResourceType, QradarResourceType and SentinelResourceType types in vendor folder
     SiemMigrationResourceType:
       oneOf:
         - $ref: './vendor/common/splunk.schema.yaml#/components/schemas/SplunkResourceType'
         - $ref: './vendor/common/qradar.schema.yaml#/components/schemas/QradarResourceType'
+        - $ref: './vendor/common/sentinel.schema.yaml#/components/schemas/SentinelResourceType'
 
     SiemMigrationResourceBase:
       type: object

x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/vendor/common/sentinel.gen.ts

@@ -21,3 +21,75 @@ import { z, lazySchema } from '@kbn/zod/v4';
  */
 export const SentinelResourceType = lazySchema(() => z.literal('watchlist'));
 export type SentinelResourceType = z.infer<typeof SentinelResourceType>;
+
+/**
+ * A Microsoft Sentinel watchlist ARM template resource
+ */
+export const SentinelWatchlistResource = lazySchema(() =>
+  z.object({
+    /**
+     * The ARM resource identifier
+     */
+    id: z.string().optional(),
+    /**
+     * The ARM resource name
+     */
+    name: z.string().optional(),
+    /**
+     * The ARM resource type
+     */
+    type: z.string().optional(),
+    /**
+     * The Sentinel watchlist properties
+     */
+    properties: z.object({
+      /**
+       * The Sentinel watchlist alias
+       */
+      watchlistAlias: z.string().min(1),
+      /**
+       * The raw CSV content for the watchlist
+       */
+      rawContent: z.string(),
+      /**
+       * The watchlist search key column name
+       */
+      itemsSearchKey: z.string().optional(),
+      /**
+       * The number of raw content lines to skip
+       */
+      numberOfLinesToSkip: z.number().int().optional(),
+      /**
+       * The source file name
+       */
+      source: z.string().optional(),
+      /**
+       * The source content type
+       */
+      contentType: z.string().optional(),
+    }),
+  })
+);
+export type SentinelWatchlistResource = z.infer<typeof SentinelWatchlistResource>;
+
+/**
+ * A Microsoft Sentinel watchlist ARM deployment template
+ */
+export const SentinelWatchlistTemplate = lazySchema(() =>
+  z.object({
+    /**
+     * The ARM deployment template schema
+     */
+    $schema: z.string().optional(),
+    /**
+     * The ARM deployment template content version
+     */
+    contentVersion: z.string().optional(),
+    /**
+     * The ARM deployment template parameters
+     */
+    parameters: z.object({}).catchall(z.unknown()).optional(),
+    resources: z.array(SentinelWatchlistResource).min(1).max(1),
+  })
+);
+export type SentinelWatchlistTemplate = z.infer<typeof SentinelWatchlistTemplate>;

x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/vendor/common/sentinel.schema.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: Sentinel components for both dashboards and rules
-  version: 'not applicable'
+  version: "not applicable"
 paths: {}
 components:
   x-codegen-enabled: true
@@ -11,3 +11,69 @@ components:
       description: The type of the resource
       enum:
         - watchlist
+
+    SentinelWatchlistResource:
+      type: object
+      description: A Microsoft Sentinel watchlist ARM template resource
+      required:
+        - properties
+      properties:
+        id:
+          type: string
+          description: The ARM resource identifier
+        name:
+          type: string
+          description: The ARM resource name
+        type:
+          type: string
+          description: The ARM resource type
+          example: Microsoft.OperationalInsights/workspaces/providers/Watchlists
+        properties:
+          type: object
+          description: The Sentinel watchlist properties
+          required:
+            - watchlistAlias
+            - rawContent
+          properties:
+            watchlistAlias:
+              type: string
+              minLength: 1
+              description: The Sentinel watchlist alias
+            rawContent:
+              type: string
+              description: The raw CSV content for the watchlist
+            itemsSearchKey:
+              type: string
+              description: The watchlist search key column name
+            numberOfLinesToSkip:
+              type: integer
+              description: The number of raw content lines to skip
+            source:
+              type: string
+              description: The source file name
+            contentType:
+              type: string
+              description: The source content type
+
+    SentinelWatchlistTemplate:
+      type: object
+      description: A Microsoft Sentinel watchlist ARM deployment template
+      required:
+        - resources
+      properties:
+        $schema:
+          type: string
+          description: The ARM deployment template schema
+        contentVersion:
+          type: string
+          description: The ARM deployment template content version
+        parameters:
+          type: object
+          additionalProperties: true
+          description: The ARM deployment template parameters
+        resources:
+          type: array
+          minItems: 1
+          maxItems: 1
+          items:
+            $ref: "#/components/schemas/SentinelWatchlistResource"

x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/components/migration_steps/lookups/lookups_file_upload/index.tsx

@@ -22,7 +22,7 @@ import { UploadFileButton } from '../..';
 import { FILE_UPLOAD_ERROR } from '../../../../translations/file_upload_error';
 import type { SiemMigrationResourceData } from '../../../../../../../common/siem_migrations/model/common.gen';
 import * as i18n from './translations';
-import { convertQradarReferenceSetToLookup } from '../utils';
+import { convertQradarReferenceSetToLookup, convertSentinelWatchlistToResource } from '../utils';
 import { MigrationSource } from '../../../../types';
 
 export interface LookupsFileUploadProps {
@@ -75,7 +75,7 @@ export const LookupsFileUpload = React.memo<LookupsFileUploadProps>(
 
         const lookups = await Promise.all(
           Array.from(files).map((file) => {
-            return new Promise<SiemMigrationResourceData>((resolve) => {
+            return new Promise<SiemMigrationResourceData | undefined>((resolve) => {
               const reader = new FileReader();
 
               reader.onloadstart = () => setIsParsing(true);
@@ -87,26 +87,48 @@ export const LookupsFileUpload = React.memo<LookupsFileUploadProps>(
 
                 if (content == null) {
                   addError(FILE_UPLOAD_ERROR.CAN_NOT_READ);
+                  resolve(undefined);
                   return;
                 }
 
                 if (content === '' && e.loaded > 100000) {
                   // V8-based browsers can't handle large files and return an empty string
                   // instead of an error; see https://stackoverflow.com/a/61316641
                   addError(FILE_UPLOAD_ERROR.TOO_LARGE_TO_PARSE);
+                  resolve(undefined);
                   return;
                 }
 
                 const name = file.name.replace(/\.[^/.]+$/, '').trim();
 
-                if (migrationSource === MigrationSource.QRADAR) {
-                  resolve(
-                    convertQradarReferenceSetToLookup({
-                      fileContent: content,
-                      fallbackName: name,
-                    })
+                try {
+                  if (migrationSource === MigrationSource.QRADAR) {
+                    resolve(
+                      convertQradarReferenceSetToLookup({
+                        fileContent: content,
+                        fallbackName: name,
+                      })
+                    );
+                    return;
+                  }
+
+                  if (migrationSource === MigrationSource.SENTINEL) {
+                    resolve(
+                      convertSentinelWatchlistToResource({
+                        fileContent: content,
+                        fallbackName: name,
+                      })
+                    );
+                    return;
+                  }
+                } catch (error) {
+                  addError(
+                    error instanceof Error ? error.message : FILE_UPLOAD_ERROR.CAN_NOT_PARSE
                   );
+                  resolve(undefined);
+                  return;
                 }
+
                 resolve({ type: 'lookup', name, content });
               };
 
@@ -117,6 +139,7 @@ export const LookupsFileUpload = React.memo<LookupsFileUploadProps>(
                 } else {
                   addError(FILE_UPLOAD_ERROR.CAN_NOT_READ);
                 }
+                resolve(undefined);
               };
 
               reader.onerror = handleReaderError;
@@ -129,8 +152,11 @@ export const LookupsFileUpload = React.memo<LookupsFileUploadProps>(
           addError(e.message);
           return [];
         });
+        const validLookups = lookups.flatMap((resource): SiemMigrationResourceData[] =>
+          resource !== undefined ? [resource] : []
+        );
         // Set the loaded lookups to the state
-        setLookupResources((current) => [...current, ...lookups]);
+        setLookupResources((current) => [...current, ...validLookups]);
       },
       [addError, migrationSource]
     );

x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/components/migration_steps/lookups/missing_lookups_list/index.tsx

@@ -12,11 +12,13 @@ import {
   EuiCopy,
   EuiFlexGroup,
   EuiFlexItem,
+  EuiCode,
   EuiIcon,
   EuiPanel,
   EuiText,
   EuiToolTip,
   useEuiTheme,
+  EuiLink,
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import * as i18n from './translations';
@@ -50,6 +52,22 @@ export const MissingLookupsList = React.memo<MissingLookupsListProps>(
           <EuiText size="s">
             {migrationSource === MigrationSource.QRADAR ? (
               i18n.REFERENCE_SETS_QRADAR_APP
+            ) : migrationSource === MigrationSource.SENTINEL ? (
+              <FormattedMessage
+                id="xpack.securitySolution.siemMigrations.common.dataInputFlyout.lookups.missingWatchlistsList.sentinelAppSection"
+                defaultMessage="Below are the watchlists found in your rules. Export them from Microsoft Sentinel and upload here. Exported Watchlist must be in <armlink>ARM Resource format</armlink>. CSV content should be included in the <code>rawContent</code> property of the watchlist."
+                values={{
+                  armlink: (child) => (
+                    <EuiLink
+                      href="https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/watchlists?pivots=deployment-language-arm-template#resource-format-1"
+                      target="_blank"
+                    >
+                      {child}
+                    </EuiLink>
+                  ),
+                  code: (child) => <EuiCode>{child}</EuiCode>,
+                }}
+              />
             ) : (
               <FormattedMessage
                 id="xpack.securitySolution.siemMigrations.common.dataInputFlyout.lookups.copyExportQuery.splunk.description"
@@ -74,9 +92,13 @@ export const MissingLookupsList = React.memo<MissingLookupsListProps>(
                     >
                       <EuiFlexItem grow={false}>
                         {uploadedLookups[lookupName] != null ? (
-                          <EuiIcon type="checkCircleFill" color={euiTheme.colors.success} />
+                          <EuiIcon
+                            type="checkCircleFill"
+                            color={euiTheme.colors.success}
+                            aria-hidden={true}
+                          />
                         ) : (
-                          <EuiIcon type="dot" />
+                          <EuiIcon type="dot" aria-hidden={true} />
                         )}
                       </EuiFlexItem>
                       <EuiFlexItem grow={false}>

x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/components/migration_steps/lookups/missing_lookups_list/translations.ts

@@ -40,14 +40,6 @@ export const CLEAR_EMPTY_REFERENCE_SET_TOOLTIP = i18n.translate(
   { defaultMessage: 'Mark the reference set as empty' }
 );
 
-export const WATCHLISTS_SENTINEL_APP = i18n.translate(
-  'xpack.securitySolution.siemMigrations.common.dataInputFlyout.lookups.missingWatchlistsList.sentinelAppSection',
-  {
-    defaultMessage:
-      'Below are the watchlists found in your rules. Export them from Microsoft Sentinel and upload here.',
-  }
-);
-
 export const COPY_WATCHLIST_NAME_TOOLTIP = i18n.translate(
   'xpack.securitySolution.siemMigrations.common.dataInputFlyout.lookups.missingWatchlistsList.copyWatchlistNameTooltip',
   { defaultMessage: 'Copy watchlist name' }

x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/components/migration_steps/lookups/utils/index.ts

@@ -7,3 +7,5 @@
 
 export { convertQradarReferenceSetToLookup } from './qradar_reference_set';
 export type { ConvertQradarReferenceSetToLookupParams } from './qradar_reference_set';
+export { convertSentinelWatchlistToResource } from './sentinel_watchlist';
+export type { ConvertSentinelWatchlistToResourceParams } from './sentinel_watchlist';