New Azure Sentinel Analytics rule feature

Microsoft quietly released the Incident settings page in the Scheduled Analytics rule wizard. On this page you can state whether you want the alert to create an incident, if the alerts should be grouped into a single alert, and if you want to re-open closed incidents when a new alert is generated. The page looks […]

Viewing Incidents in an Azure Sentinel Workbook

I was playing around with workbooks and noticed that there is a new preview Data Source called Azure Resource Manager. When I selected it I noticed that the Path it wanted begins with /subscription so I thought I would try it with the URL to get Incidents from Sentinel. Lo and behold it worked! It […]

Microsoft improving the Azure Sentinel REST API

I was looking the latest changes MS made to the Azure Sentinel REST API (available at and noticed that they now have an entire section called “incidents” that can be used just as “cases” could before. This makes more sense since, during the beta, Alerts created “cases” but now they create “incidents” . This […]

Create multiple Azure Sentinel rules from selected templates

Introduction IMHO, one of the biggest PITA when setting up a new instance of Azure Sentinel is that while Microsoft gives you all these great Analytic rule templates, you have to select each, one at a time, to create a rule from them. These PowerShell scripts will avoid that. First, there is a PowerShell command, […]

Updating an Incident using REST calls in PowerShell

Introduction I was recently asked how an Azure Sentinel Playbook could update the owner of an Incident automatically. Well, there are two issues with that: Only Scheduled rules can trigger Playbooks (at least right now. <hint>, <hint> Microsoft!). You can however run the Playbook from the Incident’s Full Details page using the Alert tab. The […]

Adding the MCAS Alert URL to a Sentinel Incident using PowerShell

Introduction Microsoft is making great strides and making Azure Sentinel one of the best SIEM products out there. One way they do this is to allow other Azure security products to forward their alerts into Azure Sentinel to make a one-stop-shop kind of experience. While this is great, one feature that, IMHO, is lacking is […]

Working with Analytics rules Part 4 – Create Microsoft Security Rule

Introduction In this last post of the series, we will look at creating a Microsoft Security Analytics rule.  These are the ones that will raise an alert that has been generated from a different Azure security product.  As of right now, those products are: Azure Active Directory Identity Protection Microsoft Defender Advanced Threat Protection Azure […]

Working with Analytics rules Part 3 – Create Fusion / ML Rule

Introduction In the previous posts I spoke about the Azure Sentinel Analytics rule templates.   You may be wondering why I did that.  The reason is that in this post, I will be discussing creating  new Fusion and ML rules and in order to do that you need to have a rule template’s ID.  You will […]