What's new: Watchlists templates are now in public preview!

Published Aug 06 2021 02:32 AM 4,405 Views
Microsoft

As we know, each organization is unique and have different use cases and scenarios in mind when it come to security operations. Nevertheless we've identified several use cases that are common across many SOC teams.

 

Azure Sentinel now provides built-in watchlist templates, which you can customize for your environment and use during investigations.

After those watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.

 

Watchlist templates currently include:

  • VIP Users. A list of user accounts of employees that have high impact value in the organization.
  • Terminated Employees. A list of user accounts of employees that have been, or are about to be, terminated.
  • Service Accounts. A list of service accounts and their owners.
  • Identity Correlation. A list of related user accounts that belong to the same person.
  • High Value Assets. A list of devices, resources, or other assets that have critical value in the organization.
  • Network Mapping. A list of IP subnets and their respective organizational contexts.

 

Watchlists templates insights in entity pagesWatchlists templates insights in entity pages

 

 

We've created the watchlists templates schemas to be super easy and extensible, in order for you to populate it with the relevant data. more information about using the watchlists templates can be found here.

 

What’s next?

 

Beside surfacing the watchlists templates data inside the entity pages, we're working on embedding this information in the UEBA anomalies, and the entity risk score which is planned next. Understanding if a user is a VIP/Terminated or an asset is an HVA is important to provide both context and security value for the analyst while investigating.

 

We Value Your Opinion!

Our goal is to make your life easier while you investigate security incidents. If you have any feedback – about the experience, the usage – or anything else,

Please let us know! We aim to improve :cool:

 

 

3 Comments
Occasional Contributor

Look forward to seeing this progress 

Senior Member

This is going to be extremely useful. I can think of a number of Use Cases where this can be used.

Occasional Visitor

The watchlist for IP ranges stops working. There are any limitation elated to number of records in watchlist?

%3CLINGO-SUB%20id%3D%22lingo-sub-2614340%22%20slang%3D%22en-US%22%3EWhat's%20new%3A%20Watchlists%20templates%20are%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2614340%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20we%20know%2C%20each%20organization%20is%20unique%20and%20have%20different%20use%20cases%20and%20scenarios%20in%20mind%20when%20it%20come%20to%20security%20operations.%20Nevertheless%20we've%20identified%20several%20use%20cases%20that%20are%20common%20across%20many%20SOC%20teams.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20now%20provides%20built-in%20watchlist%20templates%2C%20which%20you%20can%20customize%20for%20your%20environment%20and%20use%20during%20investigations.%3C%2FP%3E%0A%3CP%3EAfter%20those%20watchlists%20are%20populated%20with%20data%2C%20you%20can%20correlate%20that%20data%20with%20analytics%20rules%2C%20view%20it%20in%20the%20entity%20pages%20and%20investigation%20graphs%20as%20insights%2C%20create%20custom%20uses%20such%20as%20to%20track%20VIP%20or%20sensitive%20users%2C%20and%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWatchlist%20templates%20currently%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EVIP%20Users%3C%2FSTRONG%3E.%20A%20list%20of%20user%20accounts%20of%20employees%20that%20have%20high%20impact%20value%20in%20the%20organization.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ETerminated%20Employees%3C%2FSTRONG%3E.%20A%20list%20of%20user%20accounts%20of%20employees%20that%20have%20been%2C%20or%20are%20about%20to%20be%2C%20terminated.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EService%20Accounts%3C%2FSTRONG%3E.%20A%20list%20of%20service%20accounts%20and%20their%20owners.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EIdentity%20Correlation%3C%2FSTRONG%3E.%20A%20list%20of%20related%20user%20accounts%20that%20belong%20to%20the%20same%20person.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EHigh%20Value%20Assets%3C%2FSTRONG%3E.%20A%20list%20of%20devices%2C%20resources%2C%20or%20other%20assets%20that%20have%20critical%20value%20in%20the%20organization.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ENetwork%20Mapping%3C%2FSTRONG%3E.%20A%20list%20of%20IP%20subnets%20and%20their%20respective%20organizational%20contexts.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300686iF747E4AA6BE1BAE0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22Watchlists%20templates%20insights%20in%20entity%20pages%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWatchlists%20templates%20insights%20in%20entity%20pages%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe've%20created%20the%20watchlists%20templates%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwatchlist-schemas%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eschemas%3C%2FA%3E%26nbsp%3Bto%20be%20super%20easy%20and%20extensible%2C%20in%20order%20for%20you%20to%20populate%20it%20with%20the%20relevant%20data.%20more%20information%20about%20using%20the%20watchlists%20templates%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwatchlists%23create-a-new-watchlist-using-a-template-public-preview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3EWhat%E2%80%99s%20next%3F%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EBeside%20surfacing%20the%20watchlists%20templates%20data%20inside%20the%20entity%20pages%2C%20we're%20working%20on%20embedding%20this%20information%20in%20the%20UEBA%20anomalies%2C%20and%20the%20entity%20risk%20score%20which%20is%20planned%20next.%20Understanding%20if%20a%20user%20is%20a%20VIP%2FTerminated%20or%20an%20asset%20is%20an%20HVA%20is%20important%20to%20provide%20both%20context%20and%20security%20value%20for%20the%20analyst%20while%20investigating.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20Value%20Your%20Opinion!%3C%2FP%3E%0A%3CP%3EOur%20goal%20is%20to%20make%20your%20life%20easier%20while%20you%20investigate%20security%20incidents.%20If%20you%20have%20any%20feedback%20%E2%80%93%20about%20the%20experience%2C%20the%20usage%20%E2%80%93%20or%20anything%20else%2C%3C%2FP%3E%0A%3CP%3EPlease%20let%20us%20know!%20We%20aim%20to%20improve%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2614340%22%20slang%3D%22en-US%22%3E%3CP%3ETailor-made%20you%20analytics%20rules%2C%20automation%20playbooks%20%26amp%3B%20entities%20insights%20by%20leveraging%20OOTB%20watchlists%20templates%20for%20common%20use%20cases%20every%20SOC%20needs!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2614340%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWatchlists%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWatchlists%20templates%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2657768%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20new%3A%20Watchlists%20templates%20are%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2657768%22%20slang%3D%22en-US%22%3E%3CP%3ELook%20forward%20to%20seeing%20this%20progress%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2733107%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20new%3A%20Watchlists%20templates%20are%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2733107%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20going%20to%20be%20extremely%20useful.%20I%20can%20think%20of%20a%20number%20of%20Use%20Cases%20where%20this%20can%20be%20used.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 06 2021 02:27 AM
Updated by:
www.000webhost.com