Редактиране

Споделяне чрез


Microsoft Sentinel built-in watchlist template schemas (preview)

This article details the schemas used in each built-in watchlist template provided by Microsoft Sentinel. For more information, see Create watchlists in Microsoft Sentinel.

The Microsoft Sentinel watchlist templates are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

High Value Assets

The High Value Assets watchlist lists devices, resources, and other assets that have critical value in the organization, and includes the following fields:

Field name Format Example Mandatory/Optional
Asset Type String Device, Azure resource, AWS resource, URL, SPO, File share, Other Mandatory
Asset Id String, depending on asset type /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourceGroups/SOC-Purview/providers/Microsoft.Storage/storageAccounts/purviewadls Mandatory
Asset Name String Microsoft.Storage/storageAccounts/purviewadls Optional
Asset FQDN FQDN Finance-SRv.local.microsoft.com Mandatory
IP Address IP 1.1.1.1 Optional
Tags List ["SAW user","Blue Ocean team"] for CSV files created in Microsoft Excel or [""SAW user"",""Blue Ocean team""] for CSV files created in a text editor Optional

VIP Users

The VIP Users watchlist lists user accounts of employees that have high impact value in the organization, and includes the following values:

Field name Format Example Mandatory/Optional
User Identifier UID 52322ec8-6ebf-11eb-9439-0242ac130002 Optional
User AAD Object Id SID 03fa4b4e-dc26-426f-87b7-98e0c9e2955e Optional
User On-Prem Sid SID S-1-12-1-4141952679-1282074057-627758481-2916039507 Optional
User Principal Name UPN JeffL@seccxp.ninja Mandatory
Tags List ["SAW user","Blue Ocean team"] for CSV files created in Microsoft Excel or [""SAW user"",""Blue Ocean team""] for CSV files created in a text editor Optional

Network Addresses

The Network Addresses watchlist lists IP subnets and their respective organizational contexts, and includes the following fields:

Field name Format Example Mandatory/Optional
IP Subnet Subnet range 198.51.100.0/24 Mandatory
Range Name String DMZ Optional
Tags List ["Example","Example"] for CSV files created in Microsoft Excel or [""Example"",""Example""] for CSV files created in a text editor Optional

Terminated Employees

The Terminated Employees watchlist lists user accounts of employees that have been, or are about to be, terminated, and includes the following fields:

Field name Format Example Mandatory/Optional
User Identifier UID 52322ec8-6ebf-11eb-9439-0242ac130002 Optional
User AAD Object Id SID 03fa4b4e-dc26-426f-87b7-98e0c9e2955e Optional
User On-Prem Sid SID S-1-12-1-4141952679-1282074057-123 Optional
User Principal Name UPN JeffL@seccxp.ninja Mandatory
UserState String

We recommend using either Notified or Terminated
Terminated Mandatory
Notification date Timestamp - day

We recommend using the UTC format
2020-12-1 Optional
Termination date Timestamp - day

We recommend using the UTC format
2021-01-01 Mandatory
Tags List ["SAW user","Amba Wolfs team"] for CSV files created in Microsoft Excel or [""SAW user"",""Amba Wolfs team""] for CSV files created in a text editor Optional

Identity Correlation

The Identity Correlation watchlist lists related user accounts that belong to the same person, and includes the following fields:

Field name Format Example Mandatory/Optional
User Identifier UID 52322ec8-6ebf-11eb-9439-0242ac130002 Optional
User AAD Object Id SID 03fa4b4e-dc26-426f-87b7-98e0c9e2955e Optional
User On-Prem Sid SID S-1-12-1-4141952679-1282074057-627758481-2916039507 Optional
User Principal Name UPN JeffL@seccxp.ninja Mandatory
Employee Id String 8234123 Optional
Email Email JeffL@seccxp.ninja Optional
Associated Privileged Account ID UID/SID S-1-12-1-4141952679-1282074057-627758481-2916039507 Optional
Associated Privileged Account UPN Admin@seccxp.ninja Optional
Tags List ["SAW user","Amba Wolfs team"] for CSV files created in Microsoft Excel or [""SAW user"",""Amba Wolfs team""]for CSV files created in a text editor Optional

Service Accounts

The Service Accounts watchlist lists service accounts and their owners, and includes the following fields:

Field name Format Example Mandatory/Optional
Service Identifier UID 1111-112123-12312312-123123123 Optional
Service AAD Object Id SID 11123-123123-123123-123123 Optional
Service On-Prem Sid SID S-1-12-1-3123123-123213123-12312312-2916039507 Optional
Service Principal Name UPN myserviceprin@contoso.com Mandatory
Owner User Identifier UID 52322ec8-6ebf-11eb-9439-0242ac130002 Optional
Owner User AAD Object Id SID 03fa4b4e-dc26-426f-87b7-98e0c9e2955e Optional
Owner User On-Prem Sid SID S-1-12-1-4141952679-1282074057-627758481-2916039507 Optional
Owner User Principal Name UPN JeffL@seccxp.ninja Mandatory
Tags List ["Automation Account","GitHub Account"] for CSV files created in Microsoft Excel or [""Automation Account"",""GitHub Account""]for CSV files created in a text editor Optional

Next steps

For more information, see,