Hello, World and welcome to yet another new
episode of Azure vlog. I hope you are doing fine, I hope you are
still healthy, I am, so let's talk about a new preview feature in Azure Sentinel called
Watch list. I can imagine that you have queries where
you run detections on all your users or computers or whatever resource you like, but you would
like to exclude a couple of users. What do you normally do is write down your
query and include a where statement and most likely a where statement, where username not
in, then a list of user names follows. This is a common scenario that I see at a
lot of companies, but it results in state in your KQL query , your KQL query also holds
the, usernames that are excluded from your detection. And most likely you have a couple of other
detections that exclude the same users, so if the users that you would like to exclude
,changes, new users added, or usually needs to be removed, you have to do a, a update
of a lot of KQL queries. Aside of good software development practices,
where you try to exclude as much data as possible in your code. It's really a time consuming activity to change
a lot of queries for yeah changing a list. So what Microsoft did, they invented watch
list in Azure Sentinel. And that's basically a feature where you can
manage lists, lists of usernames, IP addresses, any values you like, and you can include those
lists in your KQL query. So instead of writing all the usernames down
in your KQL query, you can reference to their watch list and as Azure Sentinel will do its
logic over there. So that is really awesome. In this vlog, I would like to explain you
how it works. So let's create an, a cup of espresso coffee
and I'll show you how watch lists are working in Azure Sentinel. [Music] That was a very good Espresso. So enough energy to, to show you how watch
list work in an Azure Sentinel. So as you can see, I'm already in the Azure
portal and I have a Azure Sentinel workspace open, and if I go to analytics, I want to
show you one rule wire. I have a exclusion, uh listing. If I click on this rule and click on edit
and go to the rule logic, you'll see over here that I have created a rule which will
detect changes on Azure Sentinel. It can be suspicious, right? If someone changes your scene. So I have a alert rule set up that will, uh,
alert me when someone changes my scene except, uh, from these accounts, which, uh, is my
account and my, uh, Sentinel administrator account. So this is typical, a query that I see at
a lot of customers, which hold a certain kind of state in it UPNs of the users. And, um, this list changes. So now in often, so I think it's not a good
idea to have it in the, uh, in the query. And, uh, luckily Microsoft has a watch list
available now. So here we are in Azure Sentinel, I went to
the menu and clicked on the watch list over here. And, uh, it's a vanilla empty, uh, environment. So let's create our first watch list. We click on add new it's a, it starts the
wizard. And I would like to define a list which holds
my, uh, Azure Sentinel administrator so i called, it Azure Sentinel Administrators. List of azure sentinel administrators is a
good description and the alias, this is the thing that we use, uh, in Azure Sentinel to
query the watch list. I will call it, uh, azure sentinel admins. So let's click on next. And this is the part of the wizard where we
can upload our list. Um, at this moment only a CSV format with
a header is, uh, is supported. So let me show you the list that I will upload
if I go over here and, uh, open my, uh, Sentinel administrator, CSV file. I have a column that's called user name and
I have for three users in there. All right, so if I go to browse over here,
click on the, uh, uh, CSV file. You see that It is already parsed over here,
detected the column name and the values, uh, that are part of the column. So if we go to next, Um, everything's looks
good. So we can create our list. So, our list has now been created, if I go
over to logs and we can, uh, query this list from a KQL query. So if I go over here and I type a Underscore
Get Watch list ( _GetWatchlist( ) ) . I need to, uh, enter a, uh, the name of our watch
list, or the alias, I must say we called it azure sentinel admins, and I click on run. You'll see that my list is, is displayed over
here. So we can thread this function as a, uh, as
a table name. So when I show you the query that was stated
in my, uh, analytics rule, so we can replace this part of the query. where, we filter out
the, uh, the users that are excluded from this, uh, this detection. Let me show you how I would do that. So the Underscore Get Watch list ( _GetWatchlist(
) ), uh, we can thread it a stay, when that means that it does not work with the contains
statement anymore. So we need to use a joint for that. So let's start with that, Join and the kinds,
that we are going to use is a leftanti. So this basically transformed the joint statement
into some kind of filter. We can make sure that we see all the records
that are in Azure activity, but do not have a match in the watch list. So let's, uh, let's go on. We want to join on the Get Watch list. I need to define the name of the watch list
over here. I called it Azure Sentinel admins, and then
I need to configure on what columns I will, uh, will, uh, join this list. So, so for the left column, I will use the,
the Caller that is the name, which holds the username, uh, in the Azure activity table
and it's, should be equals to the right. So the, the watch list part of the join, uh,
and we called it username over there. Remember the CSV that I showed you the first
column, uh, was called to username and that was the, the header. So we can thread that as, uh, as column name. So if I run this, it will not show us any
results. I'm locked in with my account. And I changed, uh, as your Sentinel on a,
on a legal way. So if I change this, for example, to enter
kind, so now it's, uh, only shows me the records of Azure activity, which are, have a match
on the username in the Azure Sentinel admins, uh, watch list. You'll see that there are, uh, records in
there a lot, actually. So this is working, it's changed back to leftanti,
I will now copy this whole thing. So let's now change our analytics rules. So it will work with the watch list that I've
created. Let's go to the analytics rule, let's click
on edit, go to the set logic page and update this whole, uh, query for my new, uh, created
query that uses the watch list. So this is a much cleaner solution. We don't have the, uh, the usernames in there
and, uh, this is much better. It will improve the quality of code and also
the need to change this, uh, query, uh, has drastically decreased as the list is managed
outside of the query. And, and also what is really interesting is
that we can reuse this watch list into other detection. So if you have multiple detections, uh, that
use the same exclusions, you can define them in one list and reuse that list in all your
detections. That's really helpful I think. So let's save my detection and then we are
done. So if I would now like to update my watch
list, uh, currently there is no, uh, update mechanism in Azure Sentinel. So what I need to do in order to, uh, update
the watch list, I need to remove it and recreate it with a, a changed watch list. So let's update my, uh, my watch list. Let's add a new user sample to jeronenniesen.com. Let's save this one. Let's close it. I will copy the alias cause we need that in
a minute or delete, delete my old rule. Let's now create the new rule. Azure Sentinel administrator it was called. I had an alias over here. I'll leave description empty right now. Let's upload the new list. As you can see, sample two is in there right
now, let's create it. So if I now go to, uh, logs over here, uh,
let me, uh, query, the watch list, Azure Sentinel (adminis..) admins, it was called. Let's run this, you'll see that now my, a
new value has been added. So by adding the, new account to my watch
list, it automatically now is also part of my analytics rule without changing the query
logic. So that is really nice. So in this video, you saw how we can work
with watch list in Azure Sentinel. I have demonstrated how we can create a watch
list from a CSV file and use it as exclusion for our KQL queries. It is really helpful. It can save you a lot of time if you need
to change a lot of queries where that kind of state is in. umm, So make use of this feature, it's really
helpful and it's easy to work with. So with that, I would like to close this Azure
vlog. So I hope you like this, if so, please hit
the thumbs up button, of course, subscribe to this channel, ring the notification bell,
So, you know, when I upload a new video and of course, I'll see you in the next one, Bye
[Music].
