Create a Word Document report from a Microsoft Sentinel Incident

Introduction I recall reading a post where someone asked if there was a way to generate a word document when an incident was closed for reporting purposes. There is no built-in way, but by using a Playbook, a Team’s site (or other SharePoint site), and a Word template, you can do this. The Playbook, Word […]

Create a rule from a Microsoft Sentinel solution’s rule template

Introduction In a previous post, Getting ALL the Microsoft Sentinel rule templates – Yet Another Security Blog (, I explained how you can use PowerShell to get all the rule templates that a Microsoft Solution created. In this post, I will tell you how to then use these rule templates to create rules. Spoiler: It […]

Determine KQL queries that reference CommonSecurityLog

Introduction If you have not heard, there are changes coming to Microsoft Sentinel’s CommonSecurityLog table. This is the table that stores information received from CEF ingestion. To read about the changes, go to Upcoming changes to the CommonSecurityLog table – Microsoft Community Hub This blog post is about a PowerShell script that I wrote which […]

Programmatically enable Microsoft Sentinel solutions

Introduction One last post for 2022! Microsoft Sentinel has the Content Hub which, at the time this post was written, is still in preview. Inside the Content Hub are two types of entries: Solutions and Standalone contents. Standalone contents are pretty new and are just single entities that can be enabled and be listed using […]

Use Watchlists and a Playbook to automatically add Tasks to Incidents

Introduction With the public preview of being able to add Tasks to Incidents is a great step forward, it seems to be missing a feature IMHO. The ability to add the tasks as part of the rule so they automatically get added to the incidents would be a great feature to have. I am not […]

Adding tasks to a Microsoft Sentinel incident via REST API

Introduction The new ability to add tasks to an incident in Microsoft Sentinel is one of the best new features IMHO. It takes one big step forward in being able to completely handle the complete incident investigation within Microsoft Sentinel. As of right now, you can either run an automation rule or use the Microsoft […]

Getting ALL the Microsoft Sentinel rule templates

Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]

Extract Microsoft Sentinel MITRE information to CSV file – Part III

Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]