Lesson 11 — Microsoft Sentinel Watchlists
Watchlists allow Microsoft Sentinel to compare security events against information that matters to your organisation.
They bring business context into investigations by identifying VIP users, critical assets, approved IP addresses, trusted applications and other important reference data.
Instead of treating every event equally, Sentinel can prioritise what matters most.
What you will learn
This lesson explains how Sentinel playbooks use Azure Logic Apps to automate SOC workflows.
Learning objectives
- Understand Watchlists
- Create and upload CSV watchlists
- Choose a Search Key
- Use Watchlists in KQL
- Apply Watchlists during investigations
Why Watchlists matter
Security logs rarely know which users, devices or IP addresses are most important to your business. Watchlists provide that missing context.
What is a Watchlist?
A Watchlist is a table of business-specific information uploaded into Microsoft Sentinel. Common examples include VIP users, domain controllers, approved IP ranges, service accounts, suppliers and trusted applications.
Watchlists don't detect threats—they help Sentinel understand what deserves extra attention.
How Watchlists fit into investigations
Typical Watchlists
- VIP Users
- Critical Servers
- Approved IP Addresses
- Trusted Domains
- Service Accounts
- Approved Applications
Search Key
Every Watchlist has a Search Key. Choose the column most commonly used in your KQL queries because it is indexed for lookups.
KQL example
Best practices
- Keep data current
- Use meaningful names
- Document ownership
- Remove obsolete entries
- Avoid massive datasets
Lesson takeaway
Watchlists enrich Microsoft Sentinel with business knowledge, making analytics, hunting and investigations more relevant and efficient.
Related Agent Foskett learning
Continue learning
Microsoft Sentinel Playbooks and Logic Apps
Microsoft Sentinel Watchlists allow analysts to enrich investigations using organisation-specific data such as VIP users, trusted IP addresses and critical assets.
Microsoft Sentinel Lesson 11
This Agent Foskett Microsoft Sentinel Academy lesson explains playbooks, Azure Logic Apps, triggers, actions, connectors, managed identities, permissions, testing and SOC automation.
