Is it possible to create a user watchlist so I can keep track of any suspicious or anomalous behavior on a user's account?
Hello @vpolius,
Good question. We could benefit from this kind of capabilities too.
I think there is no builtin functionality for this atm. But we could make a custom siem rule which looks for a filtered list of users (related.users is one of ...) in the siem alert indices.
If any alert which contains related.users with one of these users, it should trigger an alert. (It won't work with threshold rules though I think)
Willem