Extract Microsoft Sentinel MITRE information to CSV file – Part III

Introduction Some exciting news! I have updated the “Export-AzSentinelMITREToCSV.ps1” file so that the individual rules can be saved to the CSV file instead of just the counts. This can be found in my GitHub repo here An older version of this can be found in the official Microsoft Sentinel GitHub repo located here. I am […]

Two different ways to add data to Microsoft Sentinel using REST APIs

Introduction While the title of this blog post says it is about how to add data to Microsoft Sentinel, technically the APIs we will discuss will write to Azure Monitor. However, the data will be readable by Microsoft Sentinel, so it is close enough 🙂 Microsoft Sentinel, through its extensive list of built-in data connectors, […]

Automatically apply updates to Analytic rules that have “Update Available”

Introduction Edit: It appears that I forgot to put the actual link to the code. You can get it here If you do not keep up to date with the analytic rules, you may find yourself in the scenario where there are a lot of rules that have updates that can be applied. If you […]

Extract Microsoft Sentinel MITRE information to CSV file

Introduction Microsoft Sentinel has a great MITRE ATT&CK page that shows you which tactics and techniques are being covered by your rules. It looks like the image below (this is from a new MS Sentinel instance, so I don’t have any rules enabled) It would be great to get this information into a CSV file […]

How do I determine what API Microsoft Sentinel is using?

Introduction I have been asked quite a bit which API does Microsoft Sentinel do to perform X? That is usually followed up with how did I determine that? The answer to that question is very simple. I have delved into my previous life as a developer and used a tool that was incredibly useful when […]

Activating a Microsoft Sentinel’s Solution’s analytic rules

Introduction One of the great new features in Microsoft Sentinel is the Content hub which allows you to search for, and activate, solutions. A solution is a self-contained offering inside of Microsoft Sentinel that can contain Data connectors, Analytic rules, Hunting Queries, Parsers, Playbooks, Workbooks, and/or Watchlists. I really hope that sometime in the future, […]

Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]