Watchlist Module
Welcome back to the SOCAutomator series. Did you miss us? Today we’re going to dig into how the STAT module works with Microsoft Sentinel watchlists. But first, let’s define what a watchlist is.
Analysts often need the ability to correlate security events and insights with other non-security data sources, such as lists of critical assets, trusted systems, or terminated employees. This is often done through time consuming, manual analysis of external data sources. Now, you can easily import collections of data from external sources as a watchlist in Sentinel.
Once the data is in Sentinel, you can use them in analytics rules, threat hunting, workbooks, notebooks and with any KQL query. You can also use them with STAT. In this example, I’m going to show you how you can use VIP Users and VIP Hosts to help with scoring with STAT.
There is a built-in template in Sentinel for VIP Users – a list of user accounts/employees that have high impact value in the organization. These could be C-level execs, domain admins, engineers or any user you are concerned about getting compromised. There is another template for High Value Assets (which I call VIP Hosts for simplicity) which lists devices, resources, or other assets that have critical value in the organization. In my watchlist, I have domain controllers and edge devices.
If you have never created a watchlist before, please check out the documentation here. If you already have your watchlists created, let’s move on to STAT. If you recall from our previous posts, each module has its own parameters. The Get-WatchlistInsights module will check the incident entities to see if there are:
- Account (UPN)
- IP Address
- Host (FQDN)
Sample Logic App
Module Trigger Parameters
| Parameter | Expected Values | Description |
|---|---|---|
| AddIncidentComments | True/False (Default:True) | When set to true, the results of the query will be added to the Sentinel Incident Comments |
| AddIncidentTask | True/False (Default:False) | When set to true, a task will be added to the Sentinel incident to review the query results if results are found. |
| Base Module Body | Body (dynamic content) | The Body should be selected from the Dynamic content of the Base-Module response |
| IncidentTaskInstructions | Markdown Text | A list of instructions you want to include in the task |
| WatchlistKey | ColumnName | The column name of the watchlist to match with the entity data, such as the UPN or IP Address. If the WatchlistKey has a space in it, you must enter the key in the following format: [‘Key Name’] |
| WatchlistKeyDataType | upn, ip, cidr or fqdn | The type of data in the WatchlistKey column. Use CIDR if the WactchlistKey contains subnets using CIDR notation |
| WatchlistAlias | Sentinel Watchlist Alias | This is the Alias of the Watchlist in Sentinel you want to check. |
Module Return Results
| Property | Description |
|---|---|
| DetailedResults | An Array of detailed results from each item that was checked against the watchlist |
| EntitiesAnalyzedCount | Count of entities checked against the watchlist |
| EntitiesOnWatchlist | True if any entities were found on the watchlist |
| EntitiesOnWatchlistCount | Count of entities found on the watchlist |
| ModuleName | The internal Name of the Playbook |
| WatchListName | Name of the watchlist that was queried |
Watchlist Scoring
When scoring the Watchlist Module if ScorePerItem=True then the returned score will be 10 * WatchlistMatchCount * ScoreMultiplier. If ScorePerItem=False the returned score will be 10 * ScoreMultiplier if 1 or more watchlist match is found.
As you see above, if I have two items in the VIP Users watchlist that are part of the incident, the score would be 10*2*100 (because my ScoreMultiplier is set to 100).
As you can see, VIP scoring can be very valuable in prioritizing incidents.
Let’s automate your SOC – Introduction to automating your Microsoft Sentinel
Automate your SOC – Let’s talk about STAT, baby
Automate your SOC – Noise is the enemy of speed
Automate your SOC – Risky Business
Automate your SOC – Oh, that user again?