Microsoft Sentinel offers many ways to automate tasks. Watchlists are a key component to correlate data sources in detection rules, queries, hunting, and playbooks. It can be a tedious task to keep watchlists updated if their contents are based on dynamic and changing data.Fortunately, the process of editing existing watchlists or creating new ones based on the results of alerts generated in Sentinel can be fully automated using Logic Apps. There are many watchlist actions configurable in Logic Apps – here is a post by Benjamin Kovacevic covering them.
This article will show an example of adding items to a watchlist based on the results of an alert. The steps for this automation are as follows:
Alert creation in Sentinel.
Logic App triggered and updates watchlist based on data from the newly created alert.
Watchlist is now updated and any queries referencing the watchlist are now referencing the latest data.
This can be useful in situations where watchlists are reliant upon dynamic data, data that is changing and needs updating automatically. For example, you might have a query which checks for honeytoken activity based on the accounts in a watchlist. You could create an Analytics rule which is triggered when a privileged AD account is disabled. This will take the account and automatically add it to the watchlist of honeytoken accounts. The alert logic (query) monitors accounts in that watchlist and reports on any activity.
There are three resources you need to create to set up a Logic App to update watchlists based on alert generation: an Analytics rule, a watchlist, and a Logic App.
The first resource to create is the Analytics rule. You can do this by going to the Analytics tab in Sentinel and selecting Create -> Scheduled query rule. When creating the Analytics rule you will need to map the results of the query/alert to one or more entities to reference them in a Logic App. I have mapped the query/alert output column “User” to the Name attribute in the Account entity. This is so the alert can be linked to a specific Account. You can add more identifiers and entities if needed.
You’ll have to edit this rule in a bit but for now you can go ahead and create the new rule.
The second resource that needs to be set up is the watchlist. This can be done through the Watchlist tab in Sentinel. In this case the watchlist name is AccountsOfInterest which has a column called AccountName.You must upload a CSV to set the watchlist even if you plan to start with an empty list. You can edit the items in the watchlist once it has been created, however you cannot change the watchlist alias or column names.
The third and final resource is the Logic App which will run every time the Analytics rule from above generates an alert. You can set up the Logic App by going to the Automation tab in Sentinel and then Create -> “Playbook with alert trigger”.
Once you click to create the playbook you will be directed to the Logic App page. The Logic App can be configured in the “Logic app designer” tab. You should design the app the same way as below.
Inside the For each loop you should configure the following:
Each step in the Logic App:
The Logic App is triggered when an alert is created.
As in our example we used the Account entity (see the Analytics rule creation), all Account entities from the alert are taken.
Iterate through each of the Account entities from Step 2.
Inside the iteration loop for each Account a new watchlist item is created. Because the watchlist in our example has the column name AccountName, the same has been used in the Item creation field. If this is not correctly done the Logic App will be unable to create the watchlist item. The value selected is Accounts Name as in the Analytics rule, we mapped the output of the alert to the Account entities Name attribute.
The last step is to edit the Analytics rule created earlier and add the Logic App as an automated response. This can be done from the “Automated response” tab after going to the edit page of the Analytics rule.
You can trigger the Analytics rule to run and verify that the Logic App is working. Use the Runs history tab on the Logic App to see the input and output at each stage of the Logic App. You can see in the first image below the input to the Logic App at the alert creation stage has an item of Account type called “backup_admin” from a Medium severity alert called “New Accounts of Interest Discovered”. As can be seen from the second image below the Logic App creates a new watchlist item in the watchlist AccountsOfInterest with the AccountName column field as “backup_admin”.
Once you have these three resources set up, the Logic App will automatically update the watchlist based on the input to the Logic App. Of course, you can add more actions the Logic App takes, as well as how many watchlists it modifies. A watchlist can also contain more than one column, so if you are adding an item to a watchlist with more than one column you must make sure that the Logic App is populating each column for an item.