Process - WfA – Adding in an exception to the Sentinel watchlist

When a staff member receives approval to work from abroad, it is essential for the Cyber Security team to add the user to an exception list. This process helps prevent the generation of false positives, ensuring that legitimate activities by these users are not mistakenly flagged as security threats. Once the staff member returns to the UK, the exception should be promptly removed to maintain the integrity of the security monitoring system.

Adding to the Exception Watchlist

1. Go to Microsoft Sentinel -> Configuration -> Watchlist (Microsoft Sentinel - Microsoft Azure)

2. Select the “MC – Working from Abroad Authorized Users” watchlist

3. Click on “Update watchlist”

4. Then “Edit watchlist items”

A screenshot of a computerDescription automatically generated

5. Click on “+ New”

A screenshot of a computerDescription automatically generated

6. Enter in the email address in the new field.

7. Click on Save

A screenshot of a computerDescription automatically generated

8. Wait for the notification that confirms it saved successfully.

A screenshot of a computerDescription automatically generated

_____________________________________________________________________________________________________

Removing from the Exception Watchlist

1. Go to Microsoft Sentinel -> Configuration -> Watchlist (Microsoft Sentinel - Microsoft Azure)

2. Select the “MC – Working from Abroad Authorized Users” watchlist

3. Click on “Update watchlist”

4. Then “Edit watchlist items”

5. Select the user

6. Click on Delete

A screenshot of a computerDescription automatically generated

7. Confirm deletion by clicking on “Yes”

A white background with black textDescription automatically generated

8. Wait for the notification that confirms it saved successfully.

A screenshot of a computerDescription automatically generated