Extract Microsoft Sentinel MITRE information to CSV file – Part II

Introduction In my last blog post (Extract Microsoft Sentinel MITRE information to CSV file – Yet Another Security Blog (garybushey.com)) I went over a PowerShell script that will extract the information from the MITRE ATT&CK page in Microsoft Sentinel. In this post I am expanding on that script with two new parameters ShowZeroSimulatedRuleTemplates ShowAllSimulatedRuleTemplates This […]

Extract Microsoft Sentinel MITRE information to CSV file

Introduction Microsoft Sentinel has a great MITRE ATT&CK page that shows you which tactics and techniques are being covered by your rules. It looks like the image below (this is from a new MS Sentinel instance, so I don’t have any rules enabled) It would be great to get this information into a CSV file […]

Call a MS Sentinel playbook against an incident from a workbook

Introduction Did you know you can call a Microsoft Sentinel playbook from a workbook against an existing incident? It is actually quite easy to do, and this post will go into the details a bit more. ARM Actions One of the options available to use when you add a link to the “ARM Action” (currently […]

Modify the MS Sentinel incident’s workbooks

This is just a short blog post about the MS Sentinel incident’s workbooks. If you go to the Incidents page in MS Sentinel, there are two workbooks that are linked. The first is the “Security efficiency workbook” in the header bar and the second is the “Incident Overview” workbook that shows up the incident’s detail […]

Mimic drilldown in a Microsoft Sentinel workbook – Part II

Overview Another Saturday, another blog post. In a completely unrelated note, I really miss Saturday morning cartoons 🙂 I was watching the latest Microsoft Security Insights show (Microsoft Security Insights Show Ep. 103 – YouTube) and saw some workbooks that Jing Nghik had created. In one spot he showed a spot where a workbook could […]

Mimic drilldown in a Microsoft Sentinel workbook

Overview I recently saw a question about how to do a drilldown in a Microsoft Sentinel workbook. While Rod Trent wrote a post called How to Make Your Azure Sentinel Workbooks Even More Interactive with Drilldowns and Downloads – Azure Cloud & AI Domain Blog (azurecloudai.blog) about 2 years ago on this subject, it deals […]

Recreating a MS workbook in PowerBI: Part 4 – PowerBI Parameters

Overview Back in the first post in this series, I mentioned that you can easily change how far back you can look to get information in your queries. This post will talk about PowerBI parameters that we will use to do this. Create a parameter Parameters are very easy to create. In left hand navigation […]

Recreating a MS workbook in PowerBI: Part 3 – Working with tables

Overview So far in this series (if 3 posts can be considered a series), we have ingested data into PowerBI and created a basic report. We looked at some of the pitfalls that may happen when creating a table view. In this post, we will look at the tables themselves and how we can expand […]

Recreating a MS workbook in PowerBI: Part 1 – Get the data

Overview In one of my last posts, I talked about the differences between Microsoft Sentinel workbooks and PowerBI. In this post, the first of however many I decide to write, we will look at converting the Security Operations Efficiency workbook into PowerBI. Why this workbook? There are a few reasons. It has different steps in […]