This blog post is a collaboration with @Cristhofer Munoz.
While each specialized security tool has a partial view of the world, a SIEM can utilize its broader outreach to enrich event and alert data and centrally manage allow-lists and watch lists. We are happy to announce the public preview for the Watchlist feature for Azure Sentinel!
Azure Sentinel watchlists enables the collection of data from external data sources for correlation against the events in your Azure Sentinel environment. Once created, leverage watchlist in your search, detection rules, threat hunting and response playbooks. For a full list of the functionalities and the step-by-step instructions, refer to the official documentation.
The Watchlist feature can be utilized for the following use cases:
In your Azure Sentinel portal, navigate to Configuration in the left navigation menu and select Watchlist (Preview).
Create a new watchlist by selecting ‘+ Add new’ and follow the steps in the new watchlist wizard. You will receive a notification in the notifications area within in the Azure portal that your watchlist was created. Watchlists are stored to your Azure Sentinel workspace as name value pairs and are cached for optimal query performance and low latency.
Check out these excellent articles from @liortamir that showcase how to integrate watchlists into your playbooks!
Playbooks & Watchlists Part 1: Inform the subscription owner
Playbooks & Watchlists Part 2: Automate incident response
This is just the beginning, in the near future we will be delivering additional features to enhance the watchlist experience:
We encourage you to try using watchlists now in your analytic rules, playbooks, workbooks and for threat hunting.
Try it out, and let us know what you think!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.