Watchlist Insight

There is a nice new Preview feature in Microsoft Sentinel entity pages: Watchlist Insights.

In the attached example we can identify that an IP address seen in a brute force attack against an Azure VM is an internal address in our VPN Client pool, as we have that address range defined in a Watchlist.

It’s a small thing, but every feature that makes asset and entity identification easier in alert investigation is worth to have.

Read more about creating and managing watchlists in the official documentation: https://docs.microsoft.com/en-us/azure/sentinel/watchlists