Yet Another Security Blog

I was looking the latest changes MS made to the Azure Sentinel REST API (available at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview) and noticed that they now have an entire section called “incidents” that can be used just as “cases” could before. This makes more sense since, during the beta, Alerts created “cases” but now they create “incidents” . This […]

Introduction IMHO, one of the biggest PITA when setting up a new instance of Azure Sentinel is that while Microsoft gives you all these great Analytic rule templates, you have to select each, one at a time, to create a rule from them. These PowerShell scripts will avoid that. First, there is a PowerShell command, […]

Introduction I was recently asked how an Azure Sentinel Playbook could update the owner of an Incident automatically. Well, there are two issues with that: Only Scheduled rules can trigger Playbooks (at least right now. <hint>, <hint> Microsoft!). You can however run the Playbook from the Incident’s Full Details page using the Alert tab. The […]

Introduction When I was writing my blog post about downloading the Azure Sentinel Incidents, I got to thinking about what else could you do with them? As I had been working with PowerBI I thought, why not give that a shot? I would rather have these show up in an Azure Sentinel Workbook but, so […]

Introduction In this last post of the series, we will look at creating a Microsoft Security Analytics rule.  These are the ones that will raise an alert that has been generated from a different Azure security product.  As of right now, those products are: Azure Active Directory Identity Protection Microsoft Defender Advanced Threat Protection Azure […]

Introduction In the previous posts I spoke about the Azure Sentinel Analytics rule templates.   You may be wondering why I did that.  The reason is that in this post, I will be discussing creating  new Fusion and ML rules and in order to do that you need to have a rule template’s ID.  You will […]

Introduction We are going to take a short break in our exploration of Azure Sentinel REST calls to talk about PowerShell Objects. In all the previous examples, we converted the output of the REST call to JSON.  While it is easy to read JSON, and that is the main reason I usually convert to JSON […]

Introduction So far in this series, we have looked at the Rule templates.  Now we will look at the Analytics rules that we are currently using. Listing all the Analytic Rules Much like looking at the Analytic rule templates, we can make a REST call to look at all the rules we are using. The […]

Introduction In the previous post I showed you how to get a listing of all your Incidents (AKA cases) from Azure Sentinel.  I will come back to those in just a little bit.  But for now I want to talk about how those Incidents get generated. As I am sure you know, Incidents are usually […]