Gennaro Migliaccio

The Technical Brain Dump of Cyber Security

Microsoft Sentinel – Using Watchlists

Posted on by Gennaro Migliaccio 
Last Updated: 12/05/2025

Using Watchlists in Microsoft Sentinel is a great way to correlate data against the log data you have in Microsoft Sentinel. Watchlists provide us with a mechanism for creating more custom analytical rules and can help you with investigations & hunting.

What is a Watchlist?

In short, a watchlist is a list of data you can define and upload into a table in Microsoft Sentinel. This then allows you to call that data and correlate it to the event logs that you have.

The example I tend to use is around VIP Users. You can upload a list of VIP Users and use this list to search for events specific to only those users. You can then create bespoke analytical rules for VIP users that have a higher severity and kick off different automation rules.

This is only one example, but applied to different entities like file hashes, IP addresses and user accounts gives us lots of opportunity to build out custom rules and automations.

Key Use Cases

The following are some of the key use cases, which also have a Microsoft template.

  • VIP Users
  • Service Accounts
  • High Value Assets
  • Internal Networking Addresses
  • Terminated Employees

Watchlists can be used to:

  • Create more customised analytical rules
  • Used for general queries to help with joins and filters
  • Create allowlists to supress alerts from certain entities

Limitations

There are a few limitations for watchlists, some of the key ones are:

  • The watchlist name & alias must each be between 3 and 64 characters.
  • The first and last character must be alphanumeric. However, you can include whitespaces, underscores and hyphens in the name.
  • The total number of active watchlist items is limited to 10 million.
  • Local file uploads (.csv) is limited to 3.8MB in Size.

Please note that there is a preview feature that allows file uploads to an Azure Storage Account, expanding the file size limitation to 500MB. Larger data volumes can be ingested as custom logs to get around some of the limitations.

For a full list of limitations, please visit this Microsoft article.

Example Usage

Setting up a Watchlist for VIP Users

Log into your Microsoft Sentinel instance and navigate to ‘Watchlist’, then to ‘Templates (Preview). For this example, we will use the VIP Users example.

Microsoft Sentinel Watchlist

We will then be presented with the Watchlist wizard, from here, we can download the schema. This will provide us with a .csv download that we can populate with our VIP Users.

Note: For this Watchlist, the ‘User Principal Name’ is the mandatory field. However, it is useful to populate the ‘User AAD Object ID’ and ‘User On-Prem SID’ where possible. For more details on the schema for VIP Users, Microsoft have documented it here.

Microsoft Sentinel Watchlist VIP User

Once we populate this, we can upload this back in the wizard. You will be able to see the data in the file preview pane once you select the file. We can then click ‘Next’, review our configuration and then select ‘create’ to finish the creation of our Watchlist.

We should now see our VIP Users Watchlist under ‘My Watchlists’.

Microsoft Sentinel Watchlists VIP Users

There are options for updating the current Watchlist and viewing this within our Logs.

Using the Watchlist in a Query

<p><p>As an example, we can query our sign-in logs from our VIP User Watchlist.

Microsoft Sentinel Watchlist KQL

Whilst it’s a simple query, we can build upon this, using filters to identify suspicious sign-ins from our VIP users. The example KQL Query can be found here in my GitHub.

Template Rule for VIP Users

Alternatively, there is an analytical rule within the Entra ID solution in the Content Hub that also utilises the VIP Users Watchlist. The rule is called “NRT Authentication Methods Changed for VIP Users”.

 

Microsoft Sentinel VIP User Analytical Rule

This NRT rule queries the Entra ID audit logs for changes to authentication methods (i.e. Adding a new MFA method) and filters it to users in the VIP user watchlist. Effectively alerting you to when a defined VIP user has changed authentication method.

It’s a good rule to have in place and certainly shows how Watchlists can be used to further tune rules.

For more information on the rule, please visit this link to the YAML file in GitHub for the rule.

Summary

Hopefully this guide helps you navigate the uses of Watchlists in Microsoft Sentinel. They are incredible useful and powerful to use, especially for adding more context and refinement to your existing analytical rules.

If you haven’t done so already, please check out my Microsoft Sentinel Cheat Sheet.

Thanks for reading!

 

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *