Another blog to help expand Security Knowledge
Introduction One of the great things about Microsoft Sentinel is that it is Software As A Service. That means it can be updated behind the scenes without you, the user, having to do anything. The downside is that this means rule templates can also be updated automatically but you will need to update your rules […]
Introduction Just over three years ago I wrote a blog post and code about how to create multiple rules from Microsoft Sentinel analytic rule template. A lot has changed in that three years. Not only have new features been added to Microsoft Sentinel, but I have learned better ways to work with PowerShell. With all […]
Introduction I have heard from many people that they would like to be able to see which rules need to be updated. There is currently no easy way to do this in the Microsoft Sentinel portal. You can go through each page and see which ones have the “Update Available” tag in the name, but […]
Introduction I recall reading a post where someone asked if there was a way to generate a word document when an incident was closed for reporting purposes. There is no built-in way, but by using a Playbook, a Team’s site (or other SharePoint site), and a Word template, you can do this. The Playbook, Word […]
UPDATE After playing around with the code a bit and testing some more, I found out an interesting aspect of the data being returned from the PowerShell call that will make the code much simpler. Instead of accessing “displayName” by using You can access it directly using This will also work with arrays so there […]
Introduction If you have not heard, there are changes coming to Microsoft Sentinel’s CommonSecurityLog table. This is the table that stores information received from CEF ingestion. To read about the changes, go to Upcoming changes to the CommonSecurityLog table – Microsoft Community Hub This blog post is about a PowerShell script that I wrote which […]
Introduction One last post for 2022! Microsoft Sentinel has the Content Hub which, at the time this post was written, is still in preview. Inside the Content Hub are two types of entries: Solutions and Standalone contents. Standalone contents are pretty new and are just single entities that can be enabled and be listed using […]
Introduction With the public preview of being able to add Tasks to Incidents is a great step forward, it seems to be missing a feature IMHO. The ability to add the tasks as part of the rule so they automatically get added to the incidents would be a great feature to have. I am not […]
Introduction The new ability to add tasks to an incident in Microsoft Sentinel is one of the best new features IMHO. It takes one big step forward in being able to completely handle the complete incident investigation within Microsoft Sentinel. As of right now, you can either run an automation rule or use the Microsoft […]
Introduction I recently had someone tell me that code I had written a while ago to allow the user to automatically update rules from rule templates didn’t get all the rule templates. After mumbling some comments under my breath that I should not mention here, I decided to take a look. First of all, I […]
