Tag Archives: azure sentinel

Quickly test Microsoft Sentinel REST API

There are several ways to test Microsoft Sentinel REST API with GET method. You can test directly (from Try It button) on the REST API docs page. Postman is another option. I have developed a simple PowerShell script to help … Continue reading

Posted in Security Automation | Tagged , | 1 Comment

Create an alert with custom entity mapping using Microsoft Sentinel REST API

As you may know the latest stable Microsoft Sentinel Alert API version 2020-01-01 doesn’t allows you to create an analytics rule in which you can add custom entity mapping, custom detail or incident grouping configuration. It isn’t too helpful for … Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Migrate alert rules to another Azure Sentinel in the same tenant

In a large deployment, having a non-production environment to test Microsoft Sentinel analytics rule is recommended. Now when everything is ready you would need to copy your rules over to the production environment. This article provides you a script to … Continue reading

Posted in Secure Development, Security Automation | Tagged , | Leave a comment

Azure Sentinel Threat Intelligence API

Microsoft Sentinel (formerly aka Azure Sentinel) has a feature that allows you to create and manage custom Threat Intelligence (TI) indicators (aka IoC – Indicators of Compromise). There are requests from avid readers asking AzSec to write something about Microsoft … Continue reading

Posted in Secure Development, Security Automation | Tagged , , | Leave a comment

Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template

Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay. This article provides … Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Create an Azure Role Assignment Watchlist in Azure Sentinel

Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment. In this article, what we are going to do is explore Azure Sentinel … Continue reading

Posted in Security Automation, Security Operation | Tagged , | 4 Comments

Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue. In this article, let’s … Continue reading

Posted in Security Automation | Tagged , , | 2 Comments

Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do … Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Get all comments in an Azure Sentinel incident programmatically

For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is … Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks

One of the common steps before a SecOps analyst starts investigating and writing hunting query is to authenticate with the Log Analytics workspace where security data and event log are stored, using kqlmagic. Most common way is to let Azure … Continue reading

Posted in Security Automation | Tagged , | Leave a comment