Another blog to help expand Security Knowledge
Introduction Just over three years ago I wrote a blog post and code about how to create multiple rules from Microsoft Sentinel analytic rule template. A lot has changed in that three years. Not only have new features been added to Microsoft Sentinel, but I have learned better ways to work with PowerShell. With all […]
Introduction I have heard from many people that they would like to be able to see which rules need to be updated. There is currently no easy way to do this in the Microsoft Sentinel portal. You can go through each page and see which ones have the “Update Available” tag in the name, but […]
Introduction I recall reading a post where someone asked if there was a way to generate a word document when an incident was closed for reporting purposes. There is no built-in way, but by using a Playbook, a Team’s site (or other SharePoint site), and a Word template, you can do this. The Playbook, Word […]
Introduction One last post for 2022! Microsoft Sentinel has the Content Hub which, at the time this post was written, is still in preview. Inside the Content Hub are two types of entries: Solutions and Standalone contents. Standalone contents are pretty new and are just single entities that can be enabled and be listed using […]
Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]
Introduction When you perform a query and look at a table, for instance Heartbeat, in Microsoft Sentinel, you will see that the datetime fields are stored as UTC time zone values. While there are exceptions to this rule, the TimeGenerated will always be stored using the UTC time zone. This can be both a blessing […]
Overview Another Saturday, another blog post. In a completely unrelated note, I really miss Saturday morning cartoons 🙂 I was watching the latest Microsoft Security Insights show (Microsoft Security Insights Show Ep. 103 – YouTube) and saw some workbooks that Jing Nghik had created. In one spot he showed a spot where a workbook could […]
Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]
Introduction I ran across a question where someone was asking how to extract Microsoft Sentinel automation rules. I had thought the functionality was already in the automation rules, but I was wrong. There is the functionality for analytic rules, but it is not yet there for automation rules. I had some simple PowerShell scripts that […]
Overview When accessing information using KQL, sometimes you have a column that contains sub-columns that you want to access. There are a couple of different ways to obtain this information and I will show you two ways in this blog post. The first way will be to extract each column individually. While this works and, […]
