Common scenarios using Watchlists (with query examples)!
Watchlists in Microsoft Sentinel allow you to correlate data with events in your Microsoft Sentinel environment. Watchlists can be used for searching, detection rules, threat hunting, and in response playbooks. This blog highlights the 4 common Use-cases for watchlists then goes on to describe sample scenarios associated with each.Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP solution
Organizations who use the Microsoft for SAP solution obtain valuable security insights from events in the SAP security audit log as it contains trail on many important activities on both standard SAP and customer enhanced events. The current Sentinel solution encapsulates a variety of out of the box detections and visualization based on the valuable information in the SAP security log. We are proud to announce that the new Microsoft Sentinel for SAP Solution is enhanced with a feature designed to detect suspicious events in the SAP security audit log based on deviation from the norm, meaning anomalies, in addition to the existing deterministic detection patterns previously included with the solution.Use the bulk update feature with Microsoft Sentinel Watchlists
Watchlists within Microsoft Sentinel are commonly used to work in conjunction with Analytics rules to achieve several use-cases that mostly focus on ruling in and ruling out alerts or incidents. Leverage the bulk update feature to quickly make updates to your existing watchlists.Large Watchlist using SAS key is in Public Preview!
There are many scenarios where you will need to reference and look up a larger watchlist dataset in your detection rules or investigation such as: Map database of IPv4 address networks with their respective geographical location from known sources such as MaxMind or IP2Location. Leverage the CVE vulnerability database to help enrich incidents and alerts that may be related to a known exploit. We are happy to announce a new watchlist capability that supports larger watchlist upload!
