The Watchlist feature for Azure Sentinel in public preview. I will cover this more in depth at a later date, but I wanted to answer a question that has become more common recently with customers I’ve been working with recently when this showed up in their own Azure Sentinel consoles.
The question?
What are some good, free indicators I can add to the Watchlist for testing and how do I automate keeping those indicators up to date?
The bigger answer is that as an organization, your security team will need to identify some trusted sources and start there.
Here’s an example of a list of sources you can start with: https://threatfeeds.io/
ThreatFeeds.io supplies links and context about the links to download threat intel for various topics such as blocklists, malware, bad IPs, bad domains, etc.
The link for each is supplied. Grab the link and use the following PowerShell script to schedule a regular download…
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://yourURL"
$output = "c:\feeds\yourFEED.txt"
Invoke-WebRequest -Uri $url -OutFile $outputAs an example, I have one on my GitHub repo that pulls down the Talos IP blocklist: https://github.com/rod-trent/SentinelPS/blob/master/GetTalosIPfeed.ps1
The PowerShell script connects to the URL and downloads the feed to a C:\feeds\ folder. Make sure to change the $url and $output to match what you want.
Keep watching. I’ll probably end up modifying the PowerShell script to automate a bit more of the process.
How to Import Your Downloads
Currently the Watchlist feature for Azure Sentinel has a few caveats that you need to observe.
- .csv format is required.
- A header (title) is required for each column of data.
- You currently cannot update existing Watchlists. To update the content of a Watchlist, you have to delete the old one and upload the new information. But, this makes sense considering the feature is essentially providing the same process as importing custom log files into a custom table.
Fortunately, the majority of the supplied download links from ThreatFeeds.io are text files, so you just need to make sure to add a header (column title) and save it as a .csv file before importing it into the Watchlist blade in Azure Sentinel.
There was one threat indicator feed for malware URLs on ThreatFeeds.io that was in a .data format and the columns were separated by the # character. But, once I converted it to .csv, assigning the proper delimiter, it imported just fine. I’ll have to automate the conversion later on.
To start the import…
In the Watchlist blade in Azure Sentinel click to import (Add new) a new Watchlist…
In the Watchlist Wizard name your new Watchlist, provide a Description, and give it an Alias. This Alias will be used to query the information provided by the import.
Next, on the Source tab in the Wizard, locate and select the source. In the following example, it’s the Talos IP blocklist that now has a proper header and has been saved as a .csv file.
After selecting the file, the Watchlist Wizard will validate the upload and show a sample of the data.
Once you’ve saved your new Watchlist, you’ll find it in the Watchlist blade listing. To view all the data, select the Watchlist and click the View in Log Analytics.
This allows you to view the imported data in the Logs blade in Azure Sentinel.
Note that the Watchlist feature works because of a Watchlist table that’s created and a _GetWatchlistAlias function to query the data.
My big disclaimer: This feature is still in preview. It’s fine for testing, but don’t use in production yet. As always, between private preview, public preview, and public release – features, functions, and capability could change significantly.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
