I am now fully prepared to commence the creation of valuable artifacts within Microsoft Sentinel. This phase of the project will delve into the intricacies of watchlists, covering the creation of custom watchlists and the utilization of their robust features to augment my security operations.
Navigate to the left side bar, click on "Watchlist" under Configuration.
- Click on "Add new".
- Give your Watchlist a name and alias. I will put "Tor-IP-Addresses" for both.
- Name: "Tor-IP-Addresses".
- Alias: "Tor-IP-Addresses".
- Click on "Source".
- Download the Tor+Exit+Nodes.csv file [HERE](https://github.com/jefftsui1/Cybersecurity-Home-Labs/blob/main/Guided-Labs/Ethical%20Hacking/Pavel%20Hrabec/Azure%20Sentinel%20SIEM%20Project/Tor%2BExit%2BNodes.csv). This CSV file that contains all the IP addresses.
- Back to the Source page. We will choose:
- Source type: "Local file".
- File type: "CSV file with a header (.csv)".
- Number of lines before row with headings: "0".
- Drag the CSV file in "Upload file" box.
- Searchkey: "IpAddress".
- Click on "Next: Review _ create >"
- Click on "Create".
- Click on the "TOR-IP-Addresses" on the My Watchlists page.
- Click on "View in logs".
- This is functional Watchlist and how Watchlist looks when it is called with KQL.
- We can easily modify our Watchlist. To do that we have to:
- Click "Microsoft Sentinel | Watchlist" at the top of the page.
- Click on Update watchlist > Edit watchlist items.
- In this Edit watchlist items page, it is very easy to modify or add any items into the watchlist.
Create Watchlist to Detect Threats
I am now fully prepared to commence the creation of valuable artifacts within Microsoft Sentinel. This phase of the project will delve into the intricacies of watchlists, covering the creation of custom watchlists and the utilization of their robust features to augment my security operations.
- Click on "Add new".
- Give your Watchlist a name and alias. I will put "Tor-IP-Addresses" for both. - Name: "Tor-IP-Addresses". - Alias: "Tor-IP-Addresses".
- Click on "Source".
- Download the Tor+Exit+Nodes.csv file [HERE](https://github.com/jefftsui1/Cybersecurity-Home-Labs/blob/main/Guided-Labs/Ethical%20Hacking/Pavel%20Hrabec/Azure%20Sentinel%20SIEM%20Project/Tor%2BExit%2BNodes.csv). This CSV file that contains all the IP addresses. - Back to the Source page. We will choose: - Source type: "Local file". - File type: "CSV file with a header (.csv)". - Number of lines before row with headings: "0". - Drag the CSV file in "Upload file" box. - Searchkey: "IpAddress". - Click on "Next: Review _ create >"
- Click on "Create".
- Click on the "TOR-IP-Addresses" on the My Watchlists page. - Click on "View in logs".
- This is functional Watchlist and how Watchlist looks when it is called with KQL.
- We can easily modify our Watchlist. To do that we have to: - Click "Microsoft Sentinel | Watchlist" at the top of the page. - Click on Update watchlist > Edit watchlist items.
- In this Edit watchlist items page, it is very easy to modify or add any items into the watchlist.