Book on programming Microsoft Sentinel


I am working on a book on how to use the Microsoft Sentinel REST APIs to perform your tasks. Rather than dealing with the hassle of a publisher, I am following in Rod Trent’s footsteps and writing it as a word document which will be released as a PDF. Time (and interest) permitting, I will then create an EBook for it as well.

Why a book on programming?

You may be asking why I would write a book on programming Microsoft Sentinel using the REST APIs when there is already documentation out there.  Well, while I know the documentation team and that they do excellent work, the documentation for the REST API is lacking. Most of the documentation comes from the JSON definition of the REST APIs themselves.

For example, “Alert Rules” overview section just lists the operations available. It doesn’t really tell you what the “Alert Rules” APIs are for.  Yes, you could figure it out by looking at the operations (and I really hope you can guess what they are for), but you really shouldn’t have to, so I did it for you.

I also hope to give you a better idea of how to use the various REST APIs calls as well.  Especially with the recent (at least it was recent when I started to write this book), announcement that there will not be any templates deployed as part of the Microsoft Sentinel installation (except for a few Analytic rule templates).

There are going to be some new REST API calls that are part of the preview (again, as of when I was writing this) that I will discuss in a different section.  Those are going to be more important as time goes on.

Where possible, I will be making real calls into my own Microsoft Sentinel environment so you can see real examples of data. I will be using the “Microsoft Sentinel All In One V2” program to create the environment so you can easily duplicate my calls.   There will be some places where I have to use my older installation, but that is mainly because of the data it already has.

Finally, I will present some use cases (probably ones I have already figured out) and show you how I went about solving them.

I want to hear from you

I would love to have you look at the first section, on the stable APIs, and see if you like it or not. I am open to suggestions. Do I have enough examples (especially around creating Alert Rules)? I also talk about what is required to make a rule work with a rule template by calling the Metadata API. Should I move that until I talk about the preview APIs?

Is the actual PowerShell text hard to read with the black background? I can easily change it to get rid of the black backgrounds. In the “Getting Started” section I show the code both with and without a black background. Let me know your preference.

Where to get it?

You can get the PDF here: garybushey/ProgrammingMicrosoftSentinel: Programming Microsoft Sentinel book ( I’ll post when I have updates available.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.