How to generate Sentinel incidents to test playbooks?

%3CLINGO-SUB%20id%3D%22lingo-sub-1602703%22%20slang%3D%22en-US%22%3EHow%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602703%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20tool%20or%20way%20to%20generate%20specific%20incidents%20in%20Sentinel%20so%20that%20we%20can%20test%20playbooks%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20I%20am%20having%20to%20actually%20attempt%20to%20brute%20force%20a%20resource%20to%20generate%20an%20incident%2C%20is%20there%20not%20an%20easier%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1602703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603617%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756497%22%20target%3D%22_blank%22%3E%40ReccoB%3C%2FA%3E%26nbsp%3BYou%20can%20use%20the%20script%20found%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FPowerShell-script-to-0823e09d%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FPowerShell-script-to-0823e09d%3C%2FA%3E%26nbsp%3Bwith%20some%20modifications%20to%20upload%20some%20dummy%20data%20into%20a%20custom%20log%2C%20create%20an%20analytics%20rule%20that%20looks%20for%20that%20information%2C%20and%20then%20assign%20a%20Playbook%20to%20that%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20that%20this%20can%20only%20write%20to%20a%20custom%20log%20hence%20the%20need%20for%20a%20new%20analytics%20rule%20(or%20change%20an%20existing%20one%20to%20look%20at%20the%20custom%20log)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603680%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603680%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756497%22%20target%3D%22_blank%22%3E%40ReccoB%3C%2FA%3E%26nbsp%3BYou%20could%20also%20try%20this%20one%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F08%2F13%2Fazure-sentinel-analytics-rule-to-keep-track-of-cloud-shell%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F08%2F13%2Fazure-sentinel-analytics-rule-to-keep-track-of-cloud-shell%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20you%20have%20to%20do%20is%20initiate%20a%20Cloud%20Shell%20instance%20and%20an%20Incident%20will%20be%20created%20with%20the%20entities%20you%20need%20for%20investigations%2C%20automation%2C%20etc.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Is there a tool or way to generate specific incidents in Sentinel so that we can test playbooks?

Right now I am having to actually attempt to brute force a resource to generate an incident, is there not an easier way?

2 Replies

@ReccoB You can use the script found here https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d with some modifications to upload some dummy data into a custom log, create an analytics rule that looks for that information, and then assign a Playbook to that rule.

Keep in mind that this can only write to a custom log hence the need for a new analytics rule (or change an existing one to look at the custom log)

@ReccoB You could also try this one:

https://secureinfra.blog/2020/08/13/azure-sentinel-analytics-rule-to-keep-track-of-cloud-shell/

All you have to do is initiate a Cloud Shell instance and an Incident will be created with the entities you need for investigations, automation, etc.