Another blog to help expand Security Knowledge
Introduction In my last post, I talked about how to get a single (or a few) entries from a Microsoft Sentinel watchlist. I introduced the fact that watchlists are stored in the “Watchlist” table. We can use this to perform cross workspace queries. _GetWatchlist Again, in my last blog post, I talked about the “_GetWatchlist” […]
Introduction I have been asked numerous times if there was an easy way to document your Microsoft Sentinel configuration (most recently just last week). I didn’t know of any programs that did this, so I wrote my own. It was something that I had wanted to do for quite some time, but only recently was […]
Introduction UPDATE: Modified the code to show Required Data Connectors information and the workbook to use this information. With Microsoft Sentinel moving everything into the Content Hub it may be hard to find the solution you need. You can currently search in the Content Hub, but it will only search the Title and description for […]
Introduction As I stated in my last post, Microsoft Sentinel is changing the way that templates are created in a new instance of Microsoft Sentinel. You can read the post here: A tale of two … Analytic Rule template APIs – Yet Another Security Blog (garybushey.com) to get more information on it. In that post, […]
Introduction While all my previous posts regarding calling Microsoft Sentinel REST APIs have been done in PowerShell, that is definitely not the only way to call them. PowerShell is a great language and has its place but so does JavaScript and C# (which will be a blog post in the near future). We will utilize […]
Introduction Microsoft Sentinel has solutions, under Content hub, that can be used to install multiple Microsoft Sentinel resources at one time. These resources include This makes is much easier to install what you need when you need it. With the upcoming change coming so that all the out-of-the-box content is moving to solutions (see Out-of-the-box […]
Introduction One of the great things about Microsoft Sentinel is that it is Software As A Service. That means it can be updated behind the scenes without you, the user, having to do anything. The downside is that this means rule templates can also be updated automatically but you will need to update your rules […]
UPDATE After playing around with the code a bit and testing some more, I found out an interesting aspect of the data being returned from the PowerShell call that will make the code much simpler. Instead of accessing “displayName” by using You can access it directly using This will also work with arrays so there […]
Introduction The new ability to add tasks to an incident in Microsoft Sentinel is one of the best new features IMHO. It takes one big step forward in being able to completely handle the complete incident investigation within Microsoft Sentinel. As of right now, you can either run an automation rule or use the Microsoft […]
Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]
