Blogs by Ashwin

  Plan for Azure Sentinel Watchlists Azure Sentinel watchlists are famous for collecting data from external data sources to promote the correlation with the events in your Azure Sentinel environment. Common scenarios for using watchlists includes: Investigating threats and responding to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. Once imported, you can use watchlist name- value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries. Importing business data as a watchlist. For example, import user lists with privileged system access, or terminated employees, and then use the watchlist to create allow as well as deny lists used to detect or prevent those users from logging in to the network. Reducing alert fatigue. Create allow lists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert, and pre...