Watchlists and Hunting

%3CLINGO-SUB%20id%3D%22lingo-sub-2657773%22%20slang%3D%22en-US%22%3EWatchlists%20and%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2657773%22%20slang%3D%22en-US%22%3EHi%20all%20-%20reaching%20out%20to%20see%20if%20there%20are%20any%20practical%20use%20cases%20for%20the%20new%20watchlists%20etc%2C%20such%20as%20terminated%20%2F%20notified%20user%20-%20to%20get%20the%20best%20out%20of%20the%20data%20-%20while%20I%20see%20easy%20use%20cases%20for%20IP%20addresses%20-%20users%20and%20machines%20seem%20to%20have%20very%20little%20written%20(accepting%20early%20days%20for%20the%20new%20templates)%20any%20suggestions%20%2F%20good%20sources%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2659993%22%20slang%3D%22en-US%22%3ERe%3A%20Watchlists%20and%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2659993%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688700%22%20target%3D%22_blank%22%3E%40wootts%3C%2FA%3E%26nbsp%3BThe%20High%20Value%20assets%20can%20be%20used%20in%20a%20couple%20of%20different%20ways.%26nbsp%3B%20One%20that%20comes%20to%20mind%20is%20if%20there%20is%20any%20incident%20against%20an%20asset%20that%20is%20part%20of%20the%20list%2C%20raise%20the%20severity%20(either%20inside%20the%20Analytic%20rule%20or%20by%20using%20a%20Playlist).%26nbsp%3B%20Another%20is%20to%20check%20to%20see%20if%20anyone%20is%20performing%20queries%20against%20entries%20in%20this%20list%20(assuming%20you%20have%20the%20query%20monitoring%20enabled)%20to%20make%20sure%20people%20are%20not%20looking%20for%20information%20they%20shouldn't%20(we%20had%20a%20list%20like%20this%20at%20a%20hospital%20I%20used%20to%20work%20at%20to%20make%20sure%20people%20were%20not%20looking%20up%20information%20for%20celebrities%20we%20were%20treating)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Service%20Accounts%20list%20could%20be%20used%20to%20ignore%20incidents%20from%20service%20accounts%2C%20as%20there%20are%20usually%20quite%20a%20few%20of%20them%2C%20or%20lower%20the%20severity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETerminated%20employees%20is%20very%20useful%20to%20keep%20a%20better%20eye%20on%20their%20activities%2C%20again%20by%20raising%20the%20severity.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor
Hi all - reaching out to see if there are any practical use cases for the new watchlists etc, such as terminated / notified user - to get the best out of the data - while I see easy use cases for IP addresses - users and machines seem to have very little written (accepting early days for the new templates) any suggestions / good sources
2 Replies

@wootts The High Value assets can be used in a couple of different ways.  One that comes to mind is if there is any incident against an asset that is part of the list, raise the severity (either inside the Analytic rule or by using a Playlist).  Another is to check to see if anyone is performing queries against entries in this list (assuming you have the query monitoring enabled) to make sure people are not looking for information they shouldn't (we had a list like this at a hospital I used to work at to make sure people were not looking up information for celebrities we were treating)

 

The Service Accounts list could be used to ignore incidents from service accounts, as there are usually quite a few of them, or lower the severity.

 

Terminated employees is very useful to keep a better eye on their activities, again by raising the severity.

as always gary - great help - will start with building some and see where it takes me - thanks alot