Use an analytic rule’s description for remediation steps

Introduction I am sure you know that each Analytic rule in Microsoft Sentinel has a “Description field, and its contents get copied into the incident that this rule creates. I am sure you are also aware that some of the problems with newer security analysts are not knowing what steps to take to resolve an […]

Automatically apply updates to Analytic rules that have “Update Available”

Introduction Edit: It appears that I forgot to put the actual link to the code. You can get it here If you do not keep up to date with the analytic rules, you may find yourself in the scenario where there are a lot of rules that have updates that can be applied. If you […]

Extract Microsoft Sentinel MITRE information to CSV file – Part II

Introduction In my last blog post (Extract Microsoft Sentinel MITRE information to CSV file – Yet Another Security Blog ( I went over a PowerShell script that will extract the information from the MITRE ATT&CK page in Microsoft Sentinel. In this post I am expanding on that script with two new parameters ShowZeroSimulatedRuleTemplates ShowAllSimulatedRuleTemplates This […]

Extract Microsoft Sentinel MITRE information to CSV file

Introduction Microsoft Sentinel has a great MITRE ATT&CK page that shows you which tactics and techniques are being covered by your rules. It looks like the image below (this is from a new MS Sentinel instance, so I don’t have any rules enabled) It would be great to get this information into a CSV file […]

How do I determine what API Microsoft Sentinel is using?

Introduction I have been asked quite a bit which API does Microsoft Sentinel do to perform X? That is usually followed up with how did I determine that? The answer to that question is very simple. I have delved into my previous life as a developer and used a tool that was incredibly useful when […]

How to get custom Microsoft Sentinel hunting queries using the REST API

Introduction This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information. That is correct. There are no Microsoft Sentinel REST APIs to […]

Activating a Microsoft Sentinel’s Solution’s analytic rules

Introduction One of the great new features in Microsoft Sentinel is the Content hub which allows you to search for, and activate, solutions. A solution is a self-contained offering inside of Microsoft Sentinel that can contain Data connectors, Analytic rules, Hunting Queries, Parsers, Playbooks, Workbooks, and/or Watchlists. I really hope that sometime in the future, […]

Call a MS Sentinel playbook against an incident from a workbook

Introduction Did you know you can call a Microsoft Sentinel playbook from a workbook against an existing incident? It is actually quite easy to do, and this post will go into the details a bit more. ARM Actions One of the options available to use when you add a link to the “ARM Action” (currently […]