In the Sign-in logs you will regularly see Application IDs as user accounts. Most generally, these will be our own application IDs for commonly used services and products. These are generally considered non-nefarious, but they can show up in Incidents and take time to investigate.
So, here’s a Watchlist you can employ in your Microsoft Sentinel environment that contains some of these commonly identified applications.
Download the Watchlist: https://cda.ms/4cK
Install the Watchlist: https://cda.ms/4cL
Use the Watchlist in an Analytics Rule: https://cda.ms/4cM
The Watchlist was taken from: Application IDs for commonly used Microsoft applications
This is not an exhaustive list, and you’ll find others in the Sign-in logs that you’ll need to add to this Watchlist over time. But this is a good start. I’ll update the list as time permits. If you make significant updates, feel free to fork the repo.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]