Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

How to Obtain and Import Data into the Azure Sentinel Watchlist Preview

Azure Sentinel News Editor by Azure Sentinel News Editor
December 28, 2020
in Security and Compliance
0
Microsoft introduces integrated Darktrace-a-like, Azure Sentinel
2.9kViews
647 Shares Share on Facebook Share on Twitter

The Watchlist feature for Azure Sentinel in public preview. I will cover this more in depth at a later date, but I wanted to answer a question that has become more common recently with customers I’ve been working with recently when this showed up in their own Azure Sentinel consoles.

The question?

What are some good, free indicators I can add to the Watchlist for testing and how do I automate keeping those indicators up to date?

The bigger answer is that as an organization, your security team will need to identify some trusted sources and start there.

Here’s an example of a list of sources you can start with: https://threatfeeds.io/

ThreatFeeds.io supplies links and context about the links to download threat intel for various topics such as blocklists, malware, bad IPs, bad domains, etc.

The link for each is supplied. Grab the link and use the following PowerShell script to schedule a regular download…

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://yourURL"
$output = "c:\feeds\yourFEED.txt"
Invoke-WebRequest -Uri $url -OutFile $output

As an example, I have one on my GitHub repo that pulls down the Talos IP blocklist: https://github.com/rod-trent/SentinelPS/blob/master/GetTalosIPfeed.ps1

The PowerShell script connects to the URL and downloads the feed to a C:\feeds\ folder. Make sure to change the $url and $output to match what you want.

Keep watching. I’ll probably end up modifying the PowerShell script to automate a bit more of the process.

How to Import Your Downloads

Currently the Watchlist feature for Azure Sentinel has a few caveats that you need to observe.

  1. .csv format is required.
  2. A header (title) is required for each column of data.
  3. You currently cannot update existing Watchlists. To update the content of a Watchlist, you have to delete the old one and upload the new information. But, this makes sense considering the feature is essentially providing the same process as importing custom log files into a custom table.

Fortunately, the majority of the supplied download links from ThreatFeeds.io are text files, so you just need to make sure to add a header (column title) and save it as a .csv file before importing it into the Watchlist blade in Azure Sentinel.

Add a column header and save as .csv

There was one threat indicator feed for malware URLs on ThreatFeeds.io that was in a .data format and the columns were separated by the # character. But, once I converted it to .csv, assigning the proper delimiter, it imported just fine. I’ll have to automate the conversion later on.

To start the import…

In the Watchlist blade in Azure Sentinel click to import (Add new) a new Watchlist…

Add new Watchlist

In the Watchlist Wizard name your new Watchlist, provide a Description, and give it an Alias. This Alias will be used to query the information provided by the import.

Metadata

Next, on the Source tab in the Wizard, locate and select the source. In the following example, it’s the Talos IP blocklist that now has a proper header and has been saved as a .csv file.

Talos.csv

After selecting the file, the Watchlist Wizard will validate the upload and show a sample of the data.

Data sample

Once you’ve saved your new Watchlist, you’ll find it in the Watchlist blade listing. To view all the data, select the Watchlist and click the View in Log Analytics.

View the data in the Logs blade

This allows you to view the imported data in the Logs blade in Azure Sentinel.

Imported data

Note that the Watchlist feature works because of a Watchlist table that’s created and a _GetWatchlistAlias function to query the data.

My big disclaimer: This feature is still in preview. It’s fine for testing, but don’t use in production yet. As always, between private preview, public preview, and public release – features, functions, and capability could change significantly.

Reference: https://azurecloudai.blog/2020/10/07/how-to-obtain-and-import-data-into-the-azure-sentinel-watchlist-preview/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

How to Use HTML and Markdown in Azure Sentinel Incident Comments

Vectra AI and Microsoft partner on security integration

How to Automate the Backup of Azure Sentinel Tables to Long-term Storage Using Cloud Shell

RiskIQ Joins Microsoft Intelligent Security Association

How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Trevali powers digital operating platform with Dynamics 365, Azure & Microsoft 365 cloud services

3 months ago
Microsoft renames and unifies more products under Microsoft Defender brand

Microsoft renames and unifies more products under Microsoft Defender brand

3 months ago
What’s new: Microsoft Teams connector in Public Preview

Beginning in 2021 Shared Reports is Your Only Save Option for Azure Sentinel Workbooks

2 months ago
Auditing Azure Sentinel activities

Auditing Azure Sentinel activities

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News