Microsoft Sentinel Watchlist for Verifying First-party Microsoft Applications in Sign-in reports

In the Sign-in logs you will regularly see Application IDs as user accounts. Most generally, these will be our own application IDs for commonly used services and products. These are generally considered non-nefarious, but they can show up in Incidents and take time to investigate.

So, here’s a Watchlist you can employ in your Microsoft Sentinel environment that contains some of these commonly identified applications.

Download the Watchlist:

Install the Watchlist:

Use the Watchlist in an Analytics Rule:

The Watchlist was taken from: Application IDs for commonly used Microsoft applications

This is not an exhaustive list, and you’ll find others in the Sign-in logs that you’ll need to add to this Watchlist over time. But this is a good start. I’ll update the list as time permits. If you make significant updates, feel free to fork the repo.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]