Agent Foskett Academy • Microsoft Sentinel • Module 2 • Lesson 11

Lesson 11 — Microsoft Sentinel Watchlists

Watchlists allow Microsoft Sentinel to compare security events against information that matters to your organisation.

They bring business context into investigations by identifying VIP users, critical assets, approved IP addresses, trusted applications and other important reference data.

Instead of treating every event equally, Sentinel can prioritise what matters most.

Watchlists bring business context into your security investigations.
Agent Foskett Microsoft Sentinel playbooks and Logic Apps lesson
What you will learn

This lesson explains how Sentinel playbooks use Azure Logic Apps to automate SOC workflows.

What Microsoft Sentinel Watchlists are
How Watchlists work
KQL integration
Best practices

Learning objectives

  • Understand Watchlists
  • Create and upload CSV watchlists
  • Choose a Search Key
  • Use Watchlists in KQL
  • Apply Watchlists during investigations

Why Watchlists matter

Security logs rarely know which users, devices or IP addresses are most important to your business. Watchlists provide that missing context.

What is a Watchlist?

A Watchlist is a table of business-specific information uploaded into Microsoft Sentinel. Common examples include VIP users, domain controllers, approved IP ranges, service accounts, suppliers and trusted applications.

Agent Foskett tip:

Watchlists don't detect threats—they help Sentinel understand what deserves extra attention.

How Watchlists fit into investigations

CSV File │ ▼ Sentinel Watchlist │ ▼ KQL Query │ ▼ Analytics Rule or Investigation │ ▼ Higher quality SOC decisions

Typical Watchlists

  • VIP Users
  • Critical Servers
  • Approved IP Addresses
  • Trusted Domains
  • Service Accounts
  • Approved Applications

Search Key

Every Watchlist has a Search Key. Choose the column most commonly used in your KQL queries because it is indexed for lookups.

KQL example

let VIP = _GetWatchlist('VIPUsers'); SigninLogs | lookup VIP on UserPrincipalName

Best practices

  • Keep data current
  • Use meaningful names
  • Document ownership
  • Remove obsolete entries
  • Avoid massive datasets

Lesson takeaway

Watchlists enrich Microsoft Sentinel with business knowledge, making analytics, hunting and investigations more relevant and efficient.

Lesson summary
Microsoft Sentinel playbooks use Azure Logic Apps to automate notifications, enrichment, ticket creation, comments and external response workflows. Safe playbooks use clear triggers, least privilege, strong testing and documented ownership.
Sentinel Academy Home

Microsoft Sentinel Playbooks and Logic Apps

Microsoft Sentinel Watchlists allow analysts to enrich investigations using organisation-specific data such as VIP users, trusted IP addresses and critical assets.

Microsoft Sentinel Lesson 11

This Agent Foskett Microsoft Sentinel Academy lesson explains playbooks, Azure Logic Apps, triggers, actions, connectors, managed identities, permissions, testing and SOC automation.