Mimic drilldown in a Microsoft Sentinel workbook – Part II

Overview Another Saturday, another blog post. In a completely unrelated note, I really miss Saturday morning cartoons 🙂 I was watching the latest Microsoft Security Insights show (Microsoft Security Insights Show Ep. 103 – YouTube) and saw some workbooks that Jing Nghik had created. In one spot he showed a spot where a workbook could […]

Azure KQL – Time After Time

Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]

Get or Export Microsoft Sentinel Automation rules

Introduction I ran across a question where someone was asking how to extract Microsoft Sentinel automation rules. I had thought the functionality was already in the automation rules, but I was wrong. There is the functionality for analytic rules, but it is not yet there for automation rules. I had some simple PowerShell scripts that […]

Azure KQL: Access sub-columns using the bag_unpack plugin

Overview When accessing information using KQL, sometimes you have a column that contains sub-columns that you want to access. There are a couple of different ways to obtain this information and I will show you two ways in this blog post. The first way will be to extract each column individually. While this works and, […]

Recreating a MS workbook in PowerBI: Part 2 – Create the report

Overview In the last blog post, Recreating a MS workbook in PowerBI: Part 1 – Get the data – Yet Another Security Blog (garybushey.com), we looked at how to get data from Microsoft Sentinel into PowerBI. In this blog post, we are going to create the basic report that mimics the Microsoft Sentinel Security Operations […]

Accessing the “unaccessible” services using robots (kind of)

Introduction How many of you have come across a customer that says something along the lines of “We have this great program that we want you to interact with, but it has no API to access”. Maybe it is old, or maybe it was written in-house and adding an API was not considered a requirement. […]

New book published

“Microsoft Sentinel in Action” has been released! Technically it is the second edition of “Learn Azure Sentinel” but with all the changed that have occurred between the two books, it was almost a complete rewrite (of the technical sections at least). Check it out on Amazon: Amazon.com: Microsoft Sentinel in Action: Architect, design, implement, and […]

My book has been released!!!!

I am happy to announce that my (and my co-author’s) book has, finally, been released. Learn Azure Sentinel is now available directly from the Packt site listed here: https://www.packtpub.com/security/learn-azure-sentinel It should be shipping from Amazon soon. Of course, with the world-side lockdown the actual shipping date may vary. I would suggest buying it directly from […]