L14. Watchlists, Threat Intelligence and UEBA

Watchlists

Watchlists are lookup tables uploaded to Sentinel (typically from CSV files) that enrich detection and investigation: Common watchlist use cases:

• Privileged user accounts to monitor closely
• Terminated employee accounts for activity detection
• Approved IP ranges for allowlisting in analytics rules
• Critical assets requiring heightened alerting
• Service accounts with their expected behaviors

Watchlists are referenced in KQL using the _GetWatchlist('WatchlistAlias') function:

let TerminatedUsers = _GetWatchlist('TerminatedEmployees')
| project UserPrincipalName;
SigninLogs
| where UserPrincipalName in (TerminatedUsers)
| project TimeGenerated, UserPrincipalName, IPAddress, ResultType

Key properties:

• Maximum size: 10 million rows per watchlist
• Supported formats: CSV (with header row)
• Each watchlist needs a unique SearchKey column
• Watchlists are stored in the workspace and queryable like any table

Exam tip: Use _GetWatchlist() in KQL to reference watchlist data. Watchlists are ideal for enrichment and allowlisting/blocklisting in analytics rules.

Threat Intelligence

Sentinel integrates threat intelligence (TI) indicators for detection and enrichment: Ingestion methods:

Indicator types: IP addresses, domains, URLs, file hashes, email addresses

TI indicators are stored in the ThreatIntelligenceIndicator table and can be:

• Used in analytics rules for IOC matching
• Queried in hunting sessions
• Visualized in the Threat Intelligence blade
• Matched automatically using the TI Map analytics rules

Built-in TI analytics rules:

• TI Map IP Entity to ...: Matches IPs from TI against sign-in logs, firewall logs, DNS logs, etc.
• TI Map Domain Entity to ...: Matches domains against DNS queries and proxy logs
• TI Map FileHash Entity to ...: Matches file hashes against endpoint events

Exam tip: The built-in "TI Map" analytics rules automatically correlate threat intelligence indicators against your log data. Enable them for the data sources you ingest.

Microsoft Defender Threat Intelligence (MDTI)

MDTI provides Microsoft-curated threat intelligence including:

• Reputation scoring for IPs, domains, and URLs
• Analyst-written articles on threat actors and campaigns
• Attack surface discovery (internet-exposed assets)
• Vulnerability intelligence

MDTI data enriches Sentinel investigations by providing context for entities encountered during incident analysis.

User and Entity Behavior Analytics (UEBA)

UEBA builds behavioral baselines for users and entities, then flags anomalies: Data sources for UEBA:

• Microsoft Entra ID (sign-in and audit logs)
• Azure Activity logs
• Windows Security Events
• Syslog data

Anomaly types:

• Unusual sign-in location or time
• First-time access to a resource
• Anomalous number of failed authentications
• Unusual volume of activity
• Impossible travel (sign-ins from geographically distant locations in short succession)

UEBA adds investigation priority scores to entity pages. Higher scores indicate more anomalous behavior. Configuration steps:

1. Enable UEBA in Sentinel Settings > Entity behavior
2. Select data sources to analyze
3. Wait for the baseline learning period (typically 14 days)

Exam tip: UEBA requires a 14-day learning period to establish behavioral baselines. Anomalies detected before this period may be unreliable.