How do I determine what API Microsoft Sentinel is using?

Introduction I have been asked quite a bit which API does Microsoft Sentinel do to perform X? That is usually followed up with how did I determine that? The answer to that question is very simple. I have delved into my previous life as a developer and used a tool that was incredibly useful when […]

Re-use tables in Microsoft Sentinel Workbooks

Introduction There may be times when you have a complicated query that you use in your Microsoft Sentinel workbook that you want to re-use and only filter to show one specific row. Rather than re-running the query, I will show you how to use the “merge” data source in a query step to re-use the […]

How to get custom Microsoft Sentinel hunting queries using the REST API

Introduction This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information. That is correct. There are no Microsoft Sentinel REST APIs to […]

Activating a Microsoft Sentinel’s Solution’s analytic rules

Introduction One of the great new features in Microsoft Sentinel is the Content hub which allows you to search for, and activate, solutions. A solution is a self-contained offering inside of Microsoft Sentinel that can contain Data connectors, Analytic rules, Hunting Queries, Parsers, Playbooks, Workbooks, and/or Watchlists. I really hope that sometime in the future, […]

Call a MS Sentinel playbook against an incident from a workbook

Introduction Did you know you can call a Microsoft Sentinel playbook from a workbook against an existing incident? It is actually quite easy to do, and this post will go into the details a bit more. ARM Actions One of the options available to use when you add a link to the “ARM Action” (currently […]

Modify the MS Sentinel incident’s workbooks

This is just a short blog post about the MS Sentinel incident’s workbooks. If you go to the Incidents page in MS Sentinel, there are two workbooks that are linked. The first is the “Security efficiency workbook” in the header bar and the second is the “Incident Overview” workbook that shows up the incident’s detail […]

Mimic drilldown in a Microsoft Sentinel workbook – Part II

Overview Another Saturday, another blog post. In a completely unrelated note, I really miss Saturday morning cartoons 🙂 I was watching the latest Microsoft Security Insights show (Microsoft Security Insights Show Ep. 103 – YouTube) and saw some workbooks that Jing Nghik had created. In one spot he showed a spot where a workbook could […]

Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]

Azure KQL – Time After Time

Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]

Get or Export Microsoft Sentinel Automation rules

Introduction I ran across a question where someone was asking how to extract Microsoft Sentinel automation rules. I had thought the functionality was already in the automation rules, but I was wrong. There is the functionality for analytic rules, but it is not yet there for automation rules. I had some simple PowerShell scripts that […]