How to get a single row from a Microsoft Sentinel watchlist quickly

Introduction 19 Jan 2024 UPDATE: I have posted this same information (not quite as detailed) in the Microsoft Sentinel blog at Querying Watchlists – Microsoft Community Hub however, it does have a section on “bag_unpack” and the best way to use it. As I am sure you already know, you can get the entries from […]

Programming book Version 1.0 finally ready!

I have finally finished the first version of my “Programming Microsoft Sentinel using REST APIs” EBook is ready to go. You can download it from: garybushey/ProgrammingMicrosoftSentinel: Programming Microsoft Sentinel book ( Let me know what you think. Can you easily follow it? Are the examples (both in the descriptions and use cases) useful and easy […]

A tale of two … Analytic Rule template APIs

You may have noticed that when you go into your Microsoft Sentinel Analytic rule templates area, you will see a banner like the one shown below: What does this mean? Basically, Microsoft Sentinel is not going to deploy all the Analytic rule templates (as well as Workbook templates, hunting queries, and data connectors) when a […]

Create multiple Microsoft Sentinel rules from rule templates – The Next Generation

Introduction Just over three years ago I wrote a blog post and code about how to create multiple rules from Microsoft Sentinel analytic rule template. A lot has changed in that three years. Not only have new features been added to Microsoft Sentinel, but I have learned better ways to work with PowerShell. With all […]

Generate report of Microsoft Sentinel Analytic rules that can be updated.

Introduction I have heard from many people that they would like to be able to see which rules need to be updated. There is currently no easy way to do this in the Microsoft Sentinel portal. You can go through each page and see which ones have the “Update Available” tag in the name, but […]

Create a Word Document report from a Microsoft Sentinel Incident

Introduction I recall reading a post where someone asked if there was a way to generate a word document when an incident was closed for reporting purposes. There is no built-in way, but by using a Playbook, a Team’s site (or other SharePoint site), and a Word template, you can do this. The Playbook, Word […]

Programmatically enable Microsoft Sentinel solutions

Introduction One last post for 2022! Microsoft Sentinel has the Content Hub which, at the time this post was written, is still in preview. Inside the Content Hub are two types of entries: Solutions and Standalone contents. Standalone contents are pretty new and are just single entities that can be enabled and be listed using […]

Extract Microsoft Sentinel MITRE information to CSV file – Part III

Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]