Azure Sentinel now provides built-in watchlist templates, which you can customize for your environment and use during investigations. After those watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.
Watchlist templates currently include:
VIP Users. A list of user accounts of employees that have high impact value in the organization.
Terminated Employees. A list of user accounts of employees that have been, or are about to be, terminated.
Service Accounts. A list of service accounts and their owners.
Identity Correlation. A list of related user accounts that belong to the same person.
High Value Assets. A list of devices, resources, or other assets that have critical value in the organization.
Network Mapping. A list of IP subnets and their respective organizational contexts.