Using Microsoft Sentinel Watchlists in a Cross Workspace query

Introduction In my last post, I talked about how to get a single (or a few) entries from a Microsoft Sentinel watchlist. I introduced the fact that watchlists are stored in the “Watchlist” table. We can use this to perform cross workspace queries. _GetWatchlist Again, in my last blog post, I talked about the “_GetWatchlist” […]

Create a Word document that describes your Microsoft Sentinel environment

Introduction I have been asked numerous times if there was an easy way to document your Microsoft Sentinel configuration (most recently just last week). I didn’t know of any programs that did this, so I wrote my own. It was something that I had wanted to do for quite some time, but only recently was […]

Create a CSV containing Microsoft Sentinel Solution information

Introduction UPDATE: Modified the code to show Required Data Connectors information and the workbook to use this information. With Microsoft Sentinel moving everything into the Content Hub it may be hard to find the solution you need. You can currently search in the Content Hub, but it will only search the Title and description for […]

A new way to install Microsoft Sentinel solutions

Introduction As I stated in my last post, Microsoft Sentinel is changing the way that templates are created in a new instance of Microsoft Sentinel. You can read the post here: A tale of two … Analytic Rule template APIs – Yet Another Security Blog ( to get more information on it. In that post, […]

Call Microsoft Sentinel REST APIs from JavaScript

Introduction While all my previous posts regarding calling Microsoft Sentinel REST APIs have been done in PowerShell, that is definitely not the only way to call them. PowerShell is a great language and has its place but so does JavaScript and C# (which will be a blog post in the near future). We will utilize […]

Create a Word report of all Microsoft Sentinel solution resources

Introduction Microsoft Sentinel has solutions, under Content hub, that can be used to install multiple Microsoft Sentinel resources at one time. These resources include This makes is much easier to install what you need when you need it. With the upcoming change coming so that all the out-of-the-box content is moving to solutions (see Out-of-the-box […]

Select which Microsoft Sentinel fields to update when a rule needs updating

Introduction One of the great things about Microsoft Sentinel is that it is Software As A Service. That means it can be updated behind the scenes without you, the user, having to do anything. The downside is that this means rule templates can also be updated automatically but you will need to update your rules […]

Create a rule from a Microsoft Sentinel solution’s rule template

UPDATE After playing around with the code a bit and testing some more, I found out an interesting aspect of the data being returned from the PowerShell call that will make the code much simpler. Instead of accessing “displayName” by using You can access it directly using This will also work with arrays so there […]

Determine KQL queries that reference CommonSecurityLog

Introduction If you have not heard, there are changes coming to Microsoft Sentinel’s CommonSecurityLog table. This is the table that stores information received from CEF ingestion. To read about the changes, go to Upcoming changes to the CommonSecurityLog table – Microsoft Community Hub This blog post is about a PowerShell script that I wrote which […]

Use Watchlists and a Playbook to automatically add Tasks to Incidents

Introduction With the public preview of being able to add Tasks to Incidents is a great step forward, it seems to be missing a feature IMHO. The ability to add the tasks as part of the rule so they automatically get added to the incidents would be a great feature to have. I am not […]