Introduction
Microsoft Sentinel provides a table to store list data accessible to Kusto Query Language (KQL) queries. The Watchlists page in Microsoft Sentinel provides the management options to maintain the lists.
You're a Security Operations Analyst working at a company that has implemented Microsoft Sentinel. The Security Operations team members need to prioritize alerts that are impacting high-value target servers.
You must import a list of server names into Microsoft Sentinel, which can then be used by detection queries to set a priority field. You import a list of servers into the Watchlist page of Microsoft Sentinel. Once created, you instruct the Security Operations team to use the watch list in their KQL queries.
After completing this module, you'll be able to:
- Create a watchlist with Microsoft Sentinel
- Use KQL to access the watchlist with Microsoft Sentinel
Prerequisites
None