It has been over a year since Microsoft Azure Sentinel became available on general release. Since then, the company has been regularly expanding the capabilities of the native cloud Security Information and Event Management (SIEM) service. In the latest addition, Microsoft announced a Watchlist feature.

Watchlists in Azure Sentinel are currently in preview and allow the service to collect data from outside sources to compare with events within the Azure ecosystem. Microsoft points out the tool is ideal for security operations (SecOps) teams who need help finding threats and improving detection.

In a blog post, Microsoft explains Watchlists can investigate potential threats and create alert filters. It can also import business data to create allow and deny lists. Below are the core benefits of leveraging Watchlists in Sentinel:

  • “Investigate threats and respond to incidents quickly with fast import of IP addresses, file hashes, etc. from csv files.  Then utilize the watchlist name/value pairs for joining and filtering for use in alert rules, threat hunting, workbooks, notebooks and for general queries. 
  • Import business data, such as user lists with privileged system access as a watchlist.  Then use the watchlist to create allow and deny lists. For example, use a watchlist that contains a list of terminated employees to detect or prevent them from logging in to the network.  
  • Create allow-lists to reduce alert fatigue.  For example, use a watchlist to build an allow list to suppress alerts from only a limited set of IP addresses to do specific functions and thus removing benign events from becoming alerts. 
  • Use watchlists to enrich your event data with field-value combinations derived from external data sources.”

Improving Sentinel

It you are unfamiliar with Azure Sentinel, it works within Azure environments to provide “cloud-native Security Information and Event Management (SIEM) tool.” It collects huge quantities of data from cloud-based services, such as Office 365 third-party offerings.

Sentinel is a paid service within the Azure ecosystem and customers work directly with Microsoft by sending security logs to the company. Microsoft analyzes the data to find any holes in security. This pay-as-you-go pricing model equates to $2.46 for every gigabyte (GB) of analyzed data. On the pricing page, Microsoft says a 100GB per day capacity costs $123 per day, with 500GB per day costing $492 per day.