Automate your SOC – Welcome to the VIP Room

Watchlist Module

Welcome back to the SOCAutomator series. Did you miss us? Today we’re going to dig into how the STAT module works with Microsoft Sentinel watchlists. But first, let’s define what a watchlist is.

Analysts often need the ability to correlate security events and insights with other non-security data sources, such as lists of critical assets, trusted systems, or terminated employees. This is often done through time consuming, manual analysis of external data sources. Now, you can easily import collections of data from external sources as a watchlist in Sentinel.

Once the data is in Sentinel, you can use them in analytics rules, threat hunting, workbooks, notebooks and with any KQL query. You can also use them with STAT. In this example, I’m going to show you how you can use VIP Users and VIP Hosts to help with scoring with STAT.

There is a built-in template in Sentinel for VIP Users – a list of user accounts/employees that have high impact value in the organization. These could be C-level execs, domain admins, engineers or any user you are concerned about getting compromised. There is another template for High Value Assets (which I call VIP Hosts for simplicity) which lists devices, resources, or other assets that have critical value in the organization. In my watchlist, I have domain controllers and edge devices.

If you have never created a watchlist before, please check out the documentation here. If you already have your watchlists created, let’s move on to STAT. If you recall from our previous posts, each module has its own parameters. The Get-WatchlistInsights module will check the incident entities to see if there are:

  • Account (UPN)
  • IP Address
  • Host (FQDN)

Sample Logic App

Module Trigger Parameters

ParameterExpected ValuesDescription
AddIncidentCommentsTrue/False (Default:True)When set to true, the results of the query will be added to the Sentinel Incident Comments
AddIncidentTaskTrue/False (Default:False)When set to true, a task will be added to the Sentinel incident to review the query results if results are found.
Base Module BodyBody (dynamic content)The Body should be selected from the Dynamic content of the Base-Module response
IncidentTaskInstructionsMarkdown TextA list of instructions you want to include in the task
WatchlistKeyColumnNameThe column name of the watchlist to match with the entity data, such as the UPN or IP Address. If the WatchlistKey has a space in it, you must enter the key in the following format: [‘Key Name’]
WatchlistKeyDataTypeupn, ip, cidr or fqdnThe type of data in the WatchlistKey column. Use CIDR if the WactchlistKey contains subnets using CIDR notation
WatchlistAliasSentinel Watchlist AliasThis is the Alias of the Watchlist in Sentinel you want to check.

Module Return Results

DetailedResultsAn Array of detailed results from each item that was checked against the watchlist
EntitiesAnalyzedCountCount of entities checked against the watchlist
EntitiesOnWatchlistTrue if any entities were found on the watchlist
EntitiesOnWatchlistCountCount of entities found on the watchlist
ModuleNameThe internal Name of the Playbook
WatchListNameName of the watchlist that was queried

Watchlist Scoring

When scoring the Watchlist Module if ScorePerItem=True then the returned score will be 10 * WatchlistMatchCount * ScoreMultiplier. If ScorePerItem=False the returned score will be 10 * ScoreMultiplier if 1 or more watchlist match is found.

As you see above, if I have two items in the VIP Users watchlist that are part of the incident, the score would be 10*2*100 (because my ScoreMultiplier is set to 100).

As you can see, VIP scoring can be very valuable in prioritizing incidents.

Let’s automate your SOC – Introduction to automating your Microsoft Sentinel

Automate your SOC – Let’s talk about STAT, baby

Automate your SOC – Noise is the enemy of speed 

Automate your SOC – Risky Business 

Automate your SOC – Oh, that user again? 

Automate your SOC – Rise of the machine (risk) 

Automate your SOC – Known Badness