Another blog to help expand Security Knowledge
Microsoft quietly released the Incident settings page in the Scheduled Analytics rule wizard. On this page you can state whether you want the alert to create an incident, if the alerts should be grouped into a single alert, and if you want to re-open closed incidents when a new alert is generated. The page looks […]
Could this mean that an announcement of support Azure Sentinel REST API is coming soon? Let’s hope so! Take a look: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights
I was playing around with workbooks and noticed that there is a new preview Data Source called Azure Resource Manager. When I selected it I noticed that the Path it wanted begins with /subscription so I thought I would try it with the URL to get Incidents from Sentinel. Lo and behold it worked! It […]
I was looking the latest changes MS made to the Azure Sentinel REST API (available at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview) and noticed that they now have an entire section called “incidents” that can be used just as “cases” could before. This makes more sense since, during the beta, Alerts created “cases” but now they create “incidents” . This […]
Introduction IMHO, one of the biggest PITA when setting up a new instance of Azure Sentinel is that while Microsoft gives you all these great Analytic rule templates, you have to select each, one at a time, to create a rule from them. These PowerShell scripts will avoid that. First, there is a PowerShell command, […]