Using Microsoft Sentinel Watchlists in a Cross Workspace query

Introduction In my last post, I talked about how to get a single (or a few) entries from a Microsoft Sentinel watchlist. I introduced the fact that watchlists are stored in the “Watchlist” table. We can use this to perform cross workspace queries. _GetWatchlist Again, in my last blog post, I talked about the “_GetWatchlist” […]

Create a CSV containing Microsoft Sentinel Solution information

Introduction UPDATE: Modified the code to show Required Data Connectors information and the workbook to use this information. With Microsoft Sentinel moving everything into the Content Hub it may be hard to find the solution you need. You can currently search in the Content Hub, but it will only search the Title and description for […]

Create a Word report of all Microsoft Sentinel solution resources

Introduction Microsoft Sentinel has solutions, under Content hub, that can be used to install multiple Microsoft Sentinel resources at one time. These resources include This makes is much easier to install what you need when you need it. With the upcoming change coming so that all the out-of-the-box content is moving to solutions (see Out-of-the-box […]

Determine KQL queries that reference CommonSecurityLog

Introduction If you have not heard, there are changes coming to Microsoft Sentinel’s CommonSecurityLog table. This is the table that stores information received from CEF ingestion. To read about the changes, go to Upcoming changes to the CommonSecurityLog table – Microsoft Community Hub This blog post is about a PowerShell script that I wrote which […]

Use Watchlists and a Playbook to automatically add Tasks to Incidents

Introduction With the public preview of being able to add Tasks to Incidents is a great step forward, it seems to be missing a feature IMHO. The ability to add the tasks as part of the rule so they automatically get added to the incidents would be a great feature to have. I am not […]

Getting ALL the Microsoft Sentinel rule templates

Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]

How to get custom Microsoft Sentinel hunting queries using the REST API

Introduction This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information. That is correct. There are no Microsoft Sentinel REST APIs to […]

Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]