Use Azure Sentinel watchlists
Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency.
Common scenarios for using watchlists include:
Investigating threats and responding to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. Once imported, you can use watchlist name-value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries.
Importing business data as a watchlists. For example, import user lists with privileged system access, or terminated employees, and then use the watchlist to create allow and deny lists used to detect or prevent those users from logging in to the network.
Reducing alert fatigue. Create allow lists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert, and prevent benign events from becoming alerts.
Enriching event data. Use watchlists to enrich your event data with name-value combinations derived from external data sources.
Create a new watchlist
From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist and then select Add new.
On the General page, provide the name, description, and alias for the watchlist, and then select Next.
On the Source page, select the dataset type, upload a file, and then select Next.
File uploads are currently limited to files of up to 3.8 MB in size.
Review the information, verify that it is correct, and then select Create.
A notification appears once the watchlist is created.
Use watchlists in queries
From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist, select the watchlist you want to use, and then select View in Log Analytics.
The items in your watchlist are automatically extracted for your query, and will appear on the Results tab. The example below shows the results of the extraction of the ServerName and IpAddress fields.
The timestamp on your queries will be ignored in both the query UI and in scheduled alerts.
You can query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups.
Heartbeat | lookup kind=leftouter _GetWatchlist('IPlist') on $left.ComputerIP == $right.IPAddress
Use watchlists in analytics rules
To use watchlists in analytics rules, from the Azure portal, navigate to Azure Sentinel > Configuration > Analytics, and create a rule using the
_GetWatchlist('<watchlist>') function in the query.
In this example, create a watchlist called “ipwatchlist” with the following values:
Next, create the analytics rule. In this example, we only include events from IP addresses in the watchlist:
//Watchlist as a variable let watchlist = (_GetWatchlist('ipwatchlist') | project IPAddress); Heartbeat | where ComputerIP in (watchlist)
//Watchlist inline with the query Heartbeat | where ComputerIP in ( (_GetWatchlist('ipwatchlist') | project IPAddress) )
View list of watchlists aliases
To get a list of watchlist aliases, from the Azure portal, navigate to Azure Sentinel > General > Logs, and run the following query:
_GetWatchlistAlias. You can see the list of aliases in the Results tab.
In this document, you learned how to use watchlists in Azure Sentinel to enrich data and improve investigations. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.
- Use workbooks to monitor your data.