Published On 06/16/2021
This blog post is a
collaboration between @Cristhofer
Munoz and @JulianGonzalez
This installment is part
of a broader series to keep you up to date with the latest
features/enhancements in Azure Sentinel. The installments will be bite-sized to
enable you to easily digest the new content.
Security operations (SecOps) teams need to be equipped with the tools that
empower them to efficiently detect, investigate, and respond to threats across
your enterprise. Azure Sentinel watchlists empower organizations to shorten
investigation cycles and enable rapid threat remediation by providing the
ability to collect external data sources for correlation with security events.
Additionally, correlations and analytics help SecOps stay appraised of bad
actors and compromised entities across the environment. Incorporating external
data and performing correlation across analytics allows security teams to get a
better view of their entire infrastructure and take steps to reduce risk.
Due to evolving and constant change in the cybersecurity landscape that we
live in, it is very challenging for SecOps to stay appraised of new indicators
Azure Sentinel Watchlists provides the ability to quickly import IP
addresses, file hashes, etc. from csv files into your Azure Sentinel
workspace. Then utilize the watchlist name/value pairs for joining and
filtering for use in alert rules, threat hunting, workbooks, notebooks and for
Due to the constant change, security analysts need the flexibility to update
watchlists to stay ahead. With that in mind, we are super excited to
announce the Azure Sentinel Watchlist enhancements that empower security
analysts to drive efficiency by enabling the ability to update or add items to
a watchlist using an intuitive user interface.
For additional use case examples, please refer to these relevant blog posts:
Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:
Utilize Watchlists to Drive Efficiency During Azure Sentinel
Investigations – Microsoft Tech Community
Playbooks & Watchlists Part 1: Inform the subscription owner
Playbooks & Watchlists Part 2: Automate incident response
Please refer to our public documentation for other additional details.
The new watchlist UI encompasses the following functionality:
– Add new watchlist items or update existing watchlist items.
– Select and update multiple watchlist items at once via an Excel-like grid.
– Add/remove columns from the watchlist update UI view for better usability.
How to update
From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist
Select a Watchlist, then select Edit Watchlist Items
Select > Add
New, update watchlist parameters
We encourage you to try out the new Wachlist update UI enhancement to drive
efficiency across your data correlation.