This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
As analysts collect and build context when investigating an incident, it is imperative to have the flexibility to document and record reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.) Documentation is imperative to the lifecycle of an investigation and having the ability to support various ways to document and add context is necessary for SOC analysts.
Incident comments are extensively used by analysts to collaborate on incidents, document processes and steps and to enhance incidents with additional information either manually, or as part of a playbook.
In a previous installment, we covered the support for rendering HTML and Markdown in the Sentinel incident’s comment section. That functionality provides analysts the ability to provide immediate value for documenting with additional context and the capability to view the context in a more meaningful way. Learn more about markdown using this reference and the cheatsheet.
In this installment, we are delighted to provide an update on the incident comments feature and the several improvements that have been added to the incident comment section in the last few months which include:
- HTML editor in the Sentinel UI and in LogicApp which supports several formatting options including adding links and images.
- Ability to edit and delete comments
Common use cases which are improved with these new additions:
- Automatic incident enrichment – add HTML/Markdown formatted comments to your incidents as part of Playbooks.
- Add links and to external or internal sources (like a link to a Log Analytics query) to comments to enrich incidents
- Highlight important elements of your comment with colors, highlights, or font.
- Facilitate documenting work processes and steps by editing or deleting comments.
- Delete redundant comments that were automatically added as part of a playbook in case of a mistake or unexpected results to create an organized documentation of comments.
Figure 1: Ability to edit and delete comments
These improvements will greatly increase analysts ability to enrich incidents with contextual information, document work processes, and overall reduce the time it takes to resolve and response to security incidents.
Try out the new comments improvements and let us know your feedback using any of the channels listed in the Resources. In the future, we will be looking to further increase our comments size and support additional types of data to be added to incidents.
Many thanks to @Ely_Abramovitch for the collaboration!