Azure Sentinel – Watchlist [General Availability]
The 12th July, Microsoft has announced the General Availability (GA) of Azure Sentinel Watchlist to all regions!
Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency.
Get started today with these watchlist use cases:
- Import data from csv for analytic rules & hunting. Utilize the watchlist name/value pairs for joining and filtering for use in analytic rules, threat hunting, workbooks, notebooks and for general queries. For a full list of the functionalities and the step-by-step instructions, refer to the official documentation.
- Update your watchlist using the new user interface. Add new or update existing watchlist items via an Excel-like grid. Add/remove columns from the UI for better usability. See article for more information.
- Automate watchlist operations with playbooks. Leverage in Logic App playbooks as part of your security automation story for incidents, alerts, etc. Click here for a two part tutorial and also check out the playbooks in the GitHub repo link (look for all of the playbooks with “watchlist” in the name).
- Automatically update IPs used by the major cloud providers. Using a watchlist function (link), create a watchlist for each cloud provider (Azure, AWS, GCP) and automatically update their respective IP ranges to enable allow-list or block-lists detections or for queries and reports.
- Deploy via ARM for bulk deployments. Use ARM templates for quick deployment scenarios as well as bulk deployments. Learn more here to get started with links and examples.
- Import watchlist with curated IOCs. Use watchlist ARM templates for curating and sharing non-Sentinel data across workspaces. Check out the Watchlist section in our GitHub repo for examples like this one for Nobelium cyber attack.