Watchlists act as custom log tables in Azure Sentinel where one can introduce data that isn’t otherwise obtained from connectors. In the context of the SC-200 Microsoft Security Operations Analyst Examination, understanding how to use and manage watchlists effectively is crucial.
1. Understanding Watchlists
Watchlists in Azure Sentinel are user-defined lists utilized to build logic into Scheduled query rules or Notebooks. You can create a watchlist to improve the quality and relevance of your findings from data, making your threat detection more precise and your investigations more meaningful.
For example, watchlists can have a list of all your company’s VIP users who warrant special surveillance or a list of the IPs of your VPN devices you wish to monitor carefully. With watchlists, you can consolidate the IP addresses that your scanners report as vulnerable, and thereafter create an alert if any of those appears in your logs.
2. Creating a Watchlist
Before creating a watchlist, it’s important to collect and curate the data you intend to use. The data should then be formatted into either .csv files for data import.
Steps to create a watchlist:
- In the Azure Sentinel portal, select Configuration > Watchlists > Add.
- Choose the Workspace, fill in the Name, and give the description.
- Attach and upload the .csv file, making sure to accurately map CSV headers to Watchlist columns.
- Click on ‘Review + Create’ to finish.
3. Managing Watchlists
Watchlists can be properly managed by updating the data in the watchlist on a regular basis, ensuring that analysts are working with the most current information. It can involve adding, updating, or deleting data from a watchlist. You can perform these actions using the Azure portal, REST API, or PowerShell script.
How to add new data from the Azure portal:
- Select Configuration > Watchlists.
- Locate the watchlist you want to update and click on its name.
- Under the items section, click on ‘Add item.’
- In the line items window, you can now add the new information.
Moreover, deleting a watchlist also involves a similar process from the Azure portal where you select the watchlist and click on ‘Delete watchlist.’
4. Leveraging Watchlists
Watchlists can be leveraged within query rules and Azure notebooks. Within query rules, watchlists support the ‘in~’ operator, so you can incorporate the watchlist in the rule query.
Here is an example where a watchlist named ‘importantUsers’ that contains a list of user accounts is checked against signinLogs:
SigninLogs
| where UserPrincipalName in~ (watchlist_importantUsers)
Meanwhile, in Azure notebooks, you can incorporate a watchlist as a DataFrame. This allows you to use your watchlist to enrich machine learning models or compare lists against processed data results.
In conclusion, mastering the use of watchlists can greatly enhance your operations as a Microsoft Security Operations Analyst. So, gain a solid understanding of creating, managing, and leveraging watchlists for a better grasp on Azure Sentinel’s capabilities and to enhance your data’s relevance.
Practice Test
True/False: Watchlists in Azure Sentinel are used to store data for use in queries, detections, and investigative cases.
- True
- False
Answer: True
Explanation: Watchlists in Azure Sentinel provide a method to store reference sets of data that you are able to use within your queries, analytics rules, and threat intelligence.
Which of the following are typical use cases for watchlists in Azure Sentinel?
- A. Creation of a watchlist for investigation and lookup
- B. Use watchlists in analytic rules
- C. Creating a visualization of watchlist
- D. None of the above
Answer: A, B
Explanation: Watchlists can be used to store data for investigations and lookup, and can also be used in analytic rules to manage and monitor security alerts.
Multiple select: What are different types of Watchlists in Azure Sentinel?
- A. Static Watchlists
- B. Dynamic Watchlists
- C. Manual Watchlists
- D. Both A and B
Answer: D
Explanation: Azure Sentinel supports Static Watchlists and Dynamic Watchlists. Static Watchlists are populated manually or by uploading a CSV. Dynamic Watchlists are updated by a scheduled recurring import from Azure Storage.
True/False: In Azure Sentinel, every watchlist item has a unique ID.
- True
- False
Answer: True
Explanation: Every item present in a watchlist in Azure Sentinel has its unique ID with the key-value pairs.
A user can upload data to a watchlist in Azure Sentinel from which of the following sources?
- A. A .csv file
- B. Direct manual entry
- C. Log analytics workspace
- D. Both A and B
Answer: D
Explanation: Users can either directly input data into a watchlist or upload it from a .csv file. Log analytics workspace data cannot be directly uploaded to a watchlist.
True/False: You can only query a watchlist in the Azure Sentinel using the KQL (Kusto Query Language).
- True
- False
Answer: True
Explanation: Watchlists are queried in Azure Sentinel using KQL, which helps you retrieve, manipulate and visualize data.
Which of the following are the key entities of a Watchlist Item?
- A. Values
- B. Identifiers
- C. Tags
- D. All of the above
Answer: D
Explanation: A Watchlist Item includes the key entities of Values, Identifiers, and Tags. They define the elements of a watchlist.
True/False: Once created, the type of a watchlist (static/dynamic) cannot be changed.
- True
- False
Answer: True
Explanation: The type of watchlist cannot be changed once it is created in Azure Sentinel.
Multiple select: What are the methods in Azure Sentinel by which a watchlist can be created?
- A. REST APIs
- B. Designer canvas
- C. Azure portal GUI
- D. Both A and C
Answer: D
Explanation: Watchlists can be created in Azure Sentinel using the REST APIs for programmatic creation or the Azure portal GUI.
True/False: When uploading a CSV file to a watchlist in Azure Sentinel, all columns in the CSV become watchlist item properties.
- True
- False
Answer: True
Explanation: With a CSV upload, the data from the CSV column becomes a property of a watchlist item. Each row in the CSV is a separate watchlist item.
Which feature of static Watchlists allows them to be updated through the API, or on a manual basis as often as needed?
- A. Flexibility
- B. Recurrence
- C. Customizability
- D. Versatility
Answer: A
Explanation: The flexibility of static Watchlists allows for it to be updated as often as needed, either manually or via API.
True/False: A watchlist in Azure Sentinel can be deleted directly through the Azure portal.
- True
- False
Answer: True
Explanation: Watchlists can be managed, updated, or deleted in the Azure portal, through app interfaces, or using the APIs.
Multiple select: Which of these scenarios can watchlists be used for in Azure Sentinel?
- A. Building a list of trusted IPs
- B. Tracking known malicious IPs
- C. Tracking user login data
- D. Both A and B
Answer: D
Explanation: Watchlists in Azure Sentinel can be used for various scenarios including managing a list of trusted IPs or known malicious IPs but not for tracking user logon data.
True/False: The maximum number of watchlists one can create in Azure Sentinel is
- True
- False
Answer: False
Explanation: There’s no maximum limit. Users can create and load as many watchlists as they need, provided the overall data size does not exceed 500,000 KB.
Microsoft Azure Sentinel supports a maximum watchlist item value length of _____?
- A. 1024 characters
- B. 2048 characters
- C. 4096 characters
- D. 8192 characters
Answer: C
Explanation: Microsoft Azure Sentinel supports a maximum watchlist item value length of 4096 characters.
Interview Questions
Q1: What is a Watchlist in Azure?
A1: A Watchlist in Azure is a feature inside Azure Sentinel, which allows you to respond to security incidents and hunt for suspicious activities as per your organization’s requirements. It is essentially a data extension tool that helps in managing data within your workspace.
Q2: How do you create a Watchlist in Azure Sentinel?
A2: To create a Watchlist in Azure Sentinel, you’ll navigate to the “Watchlists” blade on the Azure Sentinel navigation menu, click “Add,” provide a name for the Watchlist, and upload a CSV file of your data.
Q3: Can we use the Azure Sentinel Watchlist for external threat intelligence feeds?
A3: Yes, Azure Sentinel Watchlists can be used to host external threat intelligence feeds.
Q4: What type of data should be typically included in Watchlists?
A4: Watchlists primarily include data points that can enrich alerts. This may include suspicious IPs, user IDs, machine names, or any entity types that Azure Sentinel supports.
Q5: Can Azure Sentinel Watchlists be updated automatically?
A5: Yes, Azure Sentinel Watchlists can be automatically updated through Logic Apps or through the Graph API for Watchlist items.
Q6: What happens if a CSV file is uploaded multiple times in the Watchlist?
A6: If you upload the same CSV multiple times, the existing entities in the Watchlist would get updated, not duplicated.
Q7: In what format checks and validations are performed when uploading data to Watchlists?
A7: Checks and validations are performed in the JSON format when uploading data to Watchlists.
Q8: What type of information will be displayed when you view a specific Watchlist?
A8: When you view a specific Watchlist it displays the list of unique entities that you can check or inspect. It also includes the time when the list was last updated.
Q9: How can Azure Sentinel Watchlists be utilized during investigations?
A9: During investigations, Watchlists can help to track suspicious user accounts, IP addresses, host names, etc. This enables a quick access to a list of potentially suspicious entities that are relevant to the investigation.
Q10: What happens if you delete a Watchlist in Azure Sentinel?
A10: When a Watchlist is deleted in Azure Sentinel, it is permanently removed along with all its data and cannot be recovered.
Q11: Can you share a Watchlist across multiple Azure Sentinel Workspaces?
A11: No, you cannot share a Watchlist across multiple Azure Sentinel Workspaces. Each Workspace maintains its own set of Watchlists.
Q12: Is it possible to feed the Watchlist data through an API?
A12: Yes, Azure Sentinel supports a dedicated Graph API to feed data into the Watchlists programmatically.
Q13: Can Watchlists handle complex data types and structures?
A13: No, Watchlists currently only support simple, flat data structures in key-value pairs.
Q14: Is there a limit to the amount of data that can be uploaded to a Watchlist in Azure Sentinel?
A14: Yes, currently, a Watchlist can contain up to 1,000,000 rows of data.
Q15: Can we use a Watchlist to automate actions in Azure Sentinel?
A15: Yes, we can use a Watchlist in conjunction with Azure Logic Apps or Playbooks to automate actions based on the data in the Watchlist.