Azure Sentinel Kyndryl Training
  • M0: Introduction
  • M1: Setup Environment
  • M2: Data Connectors
  • M3: Analytics Rules
  • M4: Incident Management
  • M5: Hunting
  • M6: Watchlists
  • M7: Threat Intelligence
  • M8: Azure Sentinel Solutions
  • Sample1: Multiple tenants and regions
  • Sample 2: Single tenant with multiple clouds
  • Workspace Design Decision
  • KQL Demo - Log Analytics Workspace
  • KQL Demo - Sentinel
Powered by GitBook
On this page
  • Exercise 1: Create a watchlist
  • Exercise 2: Whitelist IP addresses in the analytics rule

Was this helpful?

M6: Watchlists

PreviousM5: HuntingNextM7: Threat Intelligence

Last updated 2 years ago

Was this helpful?

This module will show you how to use Microsoft Sentinel watchlists in event correlation and enrichment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks.

Prerequisites

This module assumes that you have completed , as the data and the artifacts that we will be using in this module need to be deployed on your Microsoft Sentinel instance.

Exercise 1: Create a watchlist

You have received a message from the SOC manager, informing you about a penetration test exercise being performed over the next few weeks. Your manager also informs you that the SIEM is already seeing a bunch of incidents from IP addresses used by the penetration test team. These incidents all come from rule "High count of connections by client IP on many ports", which identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. Your manager provides you with the list of the IP addresses involved in the penetration exercise.

  1. From Microsoft Sentinel portal, go to Watchlists menu and click Add new.

  1. In the watchlist wizard enter the following and click Next: Source:

    • Name: PenTestsIPaddresses

    • Description: IP addresses used during penetration tests

    • Watchlist Alias: PenTestIPaddresses

    • SearchKey field: IPAddress

  2. In the watchlist wizard, upload the file from your desktop, check the Results Preview and click Next: Review and Create.

  1. Click Create to finish the wizard.

  2. You are brought back to the Watchlists screen, where you see your newly created watchlist. The watchlst data takes about 1 minute to be available in the workspace. Wait until the Rows number changes from 0 to 6. Then click on View in Log Analytics.

  1. You should see the following screen. From the same logs screen you can also run _GetWatchlistAlias, which will return all defined watchlists.

Exercise 2: Whitelist IP addresses in the analytics rule

  1. Go to Analytics, then Templates and search for "High count of connections". Select the "High count of connections by client IP on many ports" rule and click on Create rule.

  1. In the Set rule logic step of the wizard, expand the query window.

  1. Add the following KQL statement that brings the IPAddress field from the "PenTestsIPaddresses" watchlist: let PenTestIPaddresses = _GetWatchlist('PenTestIPaddresses') | project IPAddress;

  1. Now add an additional where statement to discard records where the client IP address (cIP field) matches one of the IP addresses in the watchlist. The statement is: | where cIP !in (PenTestIPaddresses)

  1. Continue through the wizard and save the modified rule.

Download the to your desktop.

You can now continue to

CSV file
Module 7 - Threat Intelligence
Module 1
this CSV file
90B
PenTestsIPaddresses.csv
watchlists
watchlists
watchlists
watchlists
watchlists
watchlists
watchlists
watchlists
watchlists
watchlists