What’s New: Azure Sentinel Update Watchlist UI Enhancements

 URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476

Published On  06/16/2021

This blog post is a
collaboration between 
 and @JulianGonzalez 


This installment is part
of a broader series to keep you up to date with the latest
features/enhancements in Azure Sentinel. The installments will be bite-sized to
enable you to easily digest the new content.




Security operations (SecOps) teams need to be equipped with the tools that
empower them to efficiently detect, investigate, and respond to threats across
your enterprise. Azure Sentinel watchlists empower organizations to shorten
investigation cycles and enable rapid threat remediation by providing the
ability to collect external data sources for correlation with security events.
Additionally, correlations and analytics help SecOps stay appraised of bad
actors and compromised entities across the environment. Incorporating external
data and performing correlation across analytics allows security teams to get a
better view of their entire infrastructure and take steps to reduce risk.


Due to evolving and constant change in the cybersecurity landscape that we
live in, it is very challenging for SecOps to stay appraised of new indicators
of compromise.


Azure Sentinel Watchlists provides the ability to  quickly import IP
addresses, file hashes, etc. from csv files into your Azure Sentinel
workspace.  Then utilize the watchlist name/value pairs for joining and
filtering for use in alert rules, threat hunting, workbooks, notebooks and for
general queries.


Due to the constant change, security analysts need the flexibility to update
watchlists to stay ahead. With that in mind,  we are super excited to
announce the Azure Sentinel Watchlist  enhancements that empower security
analysts to drive efficiency by enabling the ability to update or add items to
a watchlist using an intuitive user interface.



For additional use case examples, please refer to these relevant blog posts:


Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:

Utilize Watchlists to Drive Efficiency During Azure Sentinel
Investigations – Microsoft Tech Community


Playbooks & Watchlists Part 1: Inform the subscription owner



Playbooks & Watchlists Part 2: Automate incident response



Please refer to our public documentation for other additional details. 



Watchlist Updating


The new watchlist UI encompasses the following functionality:

– Add new watchlist items or update existing watchlist items.

– Select and update multiple watchlist items at once via an Excel-like grid.

– Add/remove columns from the watchlist update UI view for better usability.


How to update

From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist






Select a Watchlist, then select Edit Watchlist Items




Select > Add
, update watchlist parameters


started today!


We encourage you to try out the new Wachlist update UI enhancement to drive
efficiency across your data correlation.