Using Microsoft Sentinel Watchlists in a Cross Workspace query

Introduction In my last post, I talked about how to get a single (or a few) entries from a Microsoft Sentinel watchlist. I introduced the fact that watchlists are stored in the “Watchlist” table. We can use this to perform cross workspace queries. _GetWatchlist Again, in my last blog post, I talked about the “_GetWatchlist” […]

How to get a single row from a Microsoft Sentinel watchlist quickly

Introduction 19 Jan 2024 UPDATE: I have posted this same information (not quite as detailed) in the Microsoft Sentinel blog at Querying Watchlists – Microsoft Community Hub however, it does have a section on “bag_unpack” and the best way to use it. As I am sure you already know, you can get the entries from […]

Programming book Version 1.0 finally ready!

I have finally finished the first version of my “Programming Microsoft Sentinel using REST APIs” EBook is ready to go. You can download it from: garybushey/ProgrammingMicrosoftSentinel: Programming Microsoft Sentinel book ( Let me know what you think. Can you easily follow it? Are the examples (both in the descriptions and use cases) useful and easy […]

Create a Word document that describes your Microsoft Sentinel environment

Introduction I have been asked numerous times if there was an easy way to document your Microsoft Sentinel configuration (most recently just last week). I didn’t know of any programs that did this, so I wrote my own. It was something that I had wanted to do for quite some time, but only recently was […]

Create a CSV containing Microsoft Sentinel Solution information

Introduction UPDATE: Modified the code to show Required Data Connectors information and the workbook to use this information. With Microsoft Sentinel moving everything into the Content Hub it may be hard to find the solution you need. You can currently search in the Content Hub, but it will only search the Title and description for […]

A new way to install Microsoft Sentinel solutions

Introduction As I stated in my last post, Microsoft Sentinel is changing the way that templates are created in a new instance of Microsoft Sentinel. You can read the post here: A tale of two … Analytic Rule template APIs – Yet Another Security Blog ( to get more information on it. In that post, […]

A tale of two … Analytic Rule template APIs

You may have noticed that when you go into your Microsoft Sentinel Analytic rule templates area, you will see a banner like the one shown below: What does this mean? Basically, Microsoft Sentinel is not going to deploy all the Analytic rule templates (as well as Workbook templates, hunting queries, and data connectors) when a […]

Call Microsoft Sentinel REST APIs from JavaScript

Introduction While all my previous posts regarding calling Microsoft Sentinel REST APIs have been done in PowerShell, that is definitely not the only way to call them. PowerShell is a great language and has its place but so does JavaScript and C# (which will be a blog post in the near future). We will utilize […]

Create a Word report of all Microsoft Sentinel solution resources

Introduction Microsoft Sentinel has solutions, under Content hub, that can be used to install multiple Microsoft Sentinel resources at one time. These resources include This makes is much easier to install what you need when you need it. With the upcoming change coming so that all the out-of-the-box content is moving to solutions (see Out-of-the-box […]