On Wednesday of this week, there were a couple announcements around enhancements to the Watchlisting capability for Azure Sentinel. If you missed those, please read What’s New: Azure Sentinel Watchlist Support for ARM Templates! – Microsoft Tech Community and What’s New: Azure Sentinel Update Watchlist UI Enhancements – Microsoft Tech Community.
On Wednesday evening, we talked through this new functionality on the Microsoft Security Insights podcast and Twitch stream. The Twitch.TV recording is still available here: https://www.twitch.tv/videos/1058385869.
But, there’s one cool piece of collateral as part of this announcement that may have gotten buried in the midst of all the feature release excitement. Included in the ARM template blog post, there’s a link to an ARM-based deployment of a ready-made Watchlist that contains all the Azure Global IP addresses per service. This is a fantastic list and is immediately useful for your Azure Sentinel work. I can’t tell you how many times customers ask for this information and now, here it is, directly in the Azure Sentinel console.
The Watchlist can be located here: Azure-Sentinel/Watchlists/Azure-Public-IPs at master · Azure/Azure-Sentinel (github.com)
At the bottom of the GitHub page is the button/link to deploy the template to your own Azure Sentinel environment. If you’ve never done this before, clicking on the Deploy to Azure button starts the process. Directions to do this (and a manual deployment method) are on the page.
Once you’ve deployed the Watchlist, you can query against specific data. For example, the following shows all the IP addresses related to Azure Active Directory…
_GetWatchlist('AzurePublicIPList') | where ExceptionNotesAPIPs == "AzureActiveDirectory"
Here’s another example that can be used in an Analytics Rule to only report/generate an alert if the IP address is NOT in the Watchlist – essentially turning the IPs for the Azure services into a trusted list.
let watchlist = (_GetWatchlist('AzurePublicIPList') | project ExceptionIPAPIPs); AzureActivity | where CallerIpAddress !in (watchlist)
This snippet of a KQL query would be used at the top of an Analytics Rule. This one is specific to an Analytics Rule that queries against the AzureActivity table (Azure Activity Log).
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.