Another blog to help expand Security Knowledge
Introduction With the public preview of being able to add Tasks to Incidents is a great step forward, it seems to be missing a feature IMHO. The ability to add the tasks as part of the rule so they automatically get added to the incidents would be a great feature to have. I am not […]
Introduction The new ability to add tasks to an incident in Microsoft Sentinel is one of the best new features IMHO. It takes one big step forward in being able to completely handle the complete incident investigation within Microsoft Sentinel. As of right now, you can either run an automation rule or use the Microsoft […]
Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]
Introduction I am sure a lot of you, like me, miss being able to call sub-routines in KQL. You can always create a function and call that, but it isn’t quite the same thing. This is where mv-apply comes into play. The official documentation for mv-apply (located here) states that it “Applies a subquery to […]
Introduction Microsoft has a web page that tells you how to do this here, but it is a bit out of date. I wanted to learn about BYOML, so I started to play around with it and this post is based on my notes that I took to get everything working correctly. This first post […]
Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]
Introduction While the title of this blog post says it is about how to add data to Microsoft Sentinel, technically the APIs we will discuss will write to Azure Monitor. However, the data will be readable by Microsoft Sentinel, so it is close enough 🙂 Microsoft Sentinel, through its extensive list of built-in data connectors, […]
Introduction When you perform a query and look at a table, for instance Heartbeat, in Microsoft Sentinel, you will see that the datetime fields are stored as UTC time zone values. While there are exceptions to this rule, the TimeGenerated will always be stored using the UTC time zone. This can be both a blessing […]
Introduction I am sure you know that each Analytic rule in Microsoft Sentinel has a “Description field, and its contents get copied into the incident that this rule creates. I am sure you are also aware that some of the problems with newer security analysts are not knowing what steps to take to resolve an […]
Introduction Truth be told, I had this working a long time ago, it just took me way too long to figure out how to export the Logic Apps into working ARM templates! I am sure you know you can tag incidents after they are created. Wouldn’t it be great if you could do this automatically? […]
