Updating an Incident using REST calls in PowerShell

Introduction I was recently asked how an Azure Sentinel Playbook could update the owner of an Incident automatically. Well, there are two issues with that: Only Scheduled rules can trigger Playbooks (at least right now. <hint>, <hint> Microsoft!). You can however run the Playbook from the Incident’s Full Details page using the Alert tab. The […]

Adding the MCAS Alert URL to a Sentinel Incident using PowerShell

Introduction Microsoft is making great strides and making Azure Sentinel one of the best SIEM products out there. One way they do this is to allow other Azure security products to forward their alerts into Azure Sentinel to make a one-stop-shop kind of experience. While this is great, one feature that, IMHO, is lacking is […]

Working with Analytics rules Part 4 – Create Microsoft Security Rule

Introduction In this last post of the series, we will look at creating a Microsoft Security Analytics rule.  These are the ones that will raise an alert that has been generated from a different Azure security product.  As of right now, those products are: Azure Active Directory Identity Protection Microsoft Defender Advanced Threat Protection Azure […]

Working with Analytics rules Part 3 – Create Fusion / ML Rule

Introduction In the previous posts I spoke about the Azure Sentinel Analytics rule templates.   You may be wondering why I did that.  The reason is that in this post, I will be discussing creating  new Fusion and ML rules and in order to do that you need to have a rule template’s ID.  You will […]

Working with Analytics rules Part 2 – The rules

Introduction So far in this series, we have looked at the Rule templates.  Now we will look at the Analytics rules that we are currently using. Listing all the Analytic Rules Much like looking at the Analytic rule templates, we can make a REST call to look at all the rules we are using. The […]

Working with Analytics rules Part 1 – Templates

Introduction In the previous post I showed you how to get a listing of all your Incidents (AKA cases) from Azure Sentinel.  I will come back to those in just a little bit.  But for now I want to talk about how those Incidents get generated. As I am sure you know, Incidents are usually […]

Your first Azure Sentinel REST API call

Introduction In this post, we will get ready to use the Azure Sentinel REST APIs.  We will discuss getting PowerShell setup, what needs to be done before you can call the REST APIs and then we will make a sample call. First and foremost, we will be using the new PowerShell core.  It is the […]

Introduction to Azure Sentinel REST APIs

Microsoft has stated that they will be releasing the official version of the AzureSentinel APIs “soon”.   While they may not be official, the APIsare publishing on GitHub and, as far as I can tell, seem to be workingperfectly well.  This post will introduce you to the APIs and how to usethem using PowerShell. Why […]