New Azure Sentinel blog: What’s new: Watchlists templates are now in public preview!

As we know, each organization is unique and have different use cases and
scenarios in mind when it come to security operations. Nevertheless we’ve
identified several use cases that are common across many SOC teams.

Azure Sentinel now provides built-in watchlist templates, which you can
customize for your environment and use during investigations.

After those watchlists are populated with data, you can correlate that data
with analytics rules, view it in the entity pages and investigation graphs as
insights, create custom uses such as to track VIP or sensitive users, and more.

Watchlist templates currently include:

  • VIP
    A list of user accounts of employees that have high impact value in the
  • Terminated
    A list of user accounts of employees that have been, or are about to be,
  • Service
    A list of service accounts and their owners.
  • Identity
    A list of related user accounts that belong to the same person.
  • High
    Value Assets
    A list of devices, resources, or other assets that have critical value in
    the organization.
  • Network
    A list of IP subnets and their respective organizational contexts.


Watchlists templates insights in entity pages

templates insights in entity pages


We’ve created the watchlists templates schemas to be super easy and extensible, in order for
you to populate it with the relevant data. more information about using the
watchlists templates can be found here.


What’s next?


Beside surfacing the watchlists templates data inside the entity pages,
we’re working on embedding this information in the UEBA anomalies, and the
entity risk score which is planned next. Understanding if a user is a
VIP/Terminated or an asset is an HVA is important to provide both context and
security value for the analyst while investigating.