What’s New: Azure Sentinel Update Watchlist UI Enhancements

This blog post is a collaboration between @Cristhofer Munoz and @JulianGonzalez 


 


This installment is part of a broader series to keep you up to date with the latest features/enhancements in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.


 


Introduction


 


Security operations (SecOps) teams need to be equipped with the tools that empower them to efficiently detect, investigate, and respond to threats across your enterprise. Azure Sentinel watchlists empower organizations to shorten investigation cycles and enable rapid threat remediation by providing the ability to collect external data sources for correlation with security events. Additionally, correlations and analytics help SecOps stay appraised of bad actors and compromised entities across the environment. Incorporating external data and performing correlation across analytics allows security teams to get a better view of their entire infrastructure and take steps to reduce risk.


 


Due to evolving and constant change in the cybersecurity landscape that we live in, it is very challenging for SecOps to stay appraised of new indicators of compromise.


 


Azure Sentinel Watchlists provides the ability to  quickly import IP addresses, file hashes, etc. from csv files into your Azure Sentinel workspace.  Then utilize the watchlist name/value pairs for joining and filtering for use in alert rules, threat hunting, workbooks, notebooks and for general queries.


 


Due to the constant change, security analysts need the flexibility to update watchlists to stay ahead. With that in mind,  we are super excited to announce the Azure Sentinel Watchlist  enhancements that empower security analysts to drive efficiency by enabling the ability to update or add items to a watchlist using an intuitive user interface.


 


———————————————————————


For additional use case examples, please refer to these relevant blog posts:


 


Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:


Utilize Watchlists to Drive Efficiency During Azure Sentinel Investigations – Microsoft Tech Community


 


Playbooks & Watchlists Part 1: Inform the subscription owner


https://techcommunity.microsoft.com/t5/azure-sentinel/playbooks-amp-watchlists-part-1-inform-the-sub…


 


Playbooks & Watchlists Part 2: Automate incident response


https://techcommunity.microsoft.com/t5/azure-sentinel/playbooks-amp-watchlists-part-2-automate-incid…


 


Please refer to our public documentation for other additional details. 


———————————————————————


 


Watchlist Updating Functionality


 


The new watchlist UI encompasses the following functionality:


– Add new watchlist items or update existing watchlist items.


– Select and update multiple watchlist items at once via an Excel-like grid.


– Add/remove columns from the watchlist update UI view for better usability.


 


How to update watchlist


From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist


 


watchlist.jpg


 


 


 


Select a Watchlist, then select Edit Watchlist Items


 

 watchlist2.png


 


Select > Add New, update watchlist parameters


 


addnew.gif


 


Get started today!


 


We encourage you to try out the new Wachlist update UI enhancement to drive efficiency across your data correlation.


 


Try it out, and let us know what you think!


 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.