Microsoft Sentinel offers many ways to automate tasks. Watchlists are a key component to correlate data sources in detection rules, queries, hunting, and playbooks. It can be a tedious task to keep watchlists updated if their contents are based on dynamic and changing data. Fortunately, the process of editing existing watchlists or creating new ones based on the results of alerts generated in Sentinel can be fully automated using Logic Apps. There are many watchlist actions configurable in Logic Apps – here is a post by Benjamin Kovacevic covering them.
This article will show an example of adding items to a watchlist based on the results of an alert. The steps for this automation are as follows:
This can be useful in situations where watchlists are reliant upon dynamic data, data that is changing and needs updating automatically. For example, you might have a query which checks for honeytoken activity based on the accounts in a watchlist. You could create an Analytics rule which is triggered when a privileged AD account is disabled. This will take the account and automatically add it to the watchlist of honeytoken accounts. The alert logic (query) monitors accounts in that watchlist and reports on any activity.
There are three resources you need to create to set up a Logic App to update watchlists based on alert generation: an Analytics rule, a watchlist, and a Logic App.
The first resource to create is the Analytics rule. You can do this by going to the Analytics tab in Sentinel and selecting Create -> Scheduled query rule. When creating the Analytics rule you will need to map the results of the query/alert to one or more entities to reference them in a Logic App. I have mapped the query/alert output column “User” to the Name attribute in the Account entity. This is so the alert can be linked to a specific Account. You can add more identifiers and entities if needed.
You’ll have to edit this rule in a bit but for now you can go ahead and create the new rule.
The second resource that needs to be set up is the watchlist. This can be done through the Watchlist tab in Sentinel. In this case the watchlist name is AccountsOfInterest which has a column called AccountName. You must upload a CSV to set the watchlist even if you plan to start with an empty list. You can edit the items in the watchlist once it has been created, however you cannot change the watchlist alias or column names.
The third and final resource is the Logic App which will run every time the Analytics rule from above generates an alert. You can set up the Logic App by going to the Automation tab in Sentinel and then Create -> “Playbook with alert trigger”.
Once you click to create the playbook you will be directed to the Logic App page. The Logic App can be configured in the “Logic app designer” tab. You should design the app the same way as below.
Inside the For each loop you should configure the following:
Each step in the Logic App:
The last step is to edit the Analytics rule created earlier and add the Logic App as an automated response. This can be done from the “Automated response” tab after going to the edit page of the Analytics rule.
You can trigger the Analytics rule to run and verify that the Logic App is working. Use the Runs history tab on the Logic App to see the input and output at each stage of the Logic App. You can see in the first image below the input to the Logic App at the alert creation stage has an item of Account type called “backup_admin” from a Medium severity alert called “New Accounts of Interest Discovered”. As can be seen from the second image below the Logic App creates a new watchlist item in the watchlist AccountsOfInterest with the AccountName column field as “backup_admin”.
Once you have these three resources set up, the Logic App will automatically update the watchlist based on the input to the Logic App. Of course, you can add more actions the Logic App takes, as well as how many watchlists it modifies. A watchlist can also contain more than one column, so if you are adding an item to a watchlist with more than one column you must make sure that the Logic App is populating each column for an item.
Thanks for reading!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.