This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
As analysts collect and build context when investigating an incident, it is imperative to have the flexibility to document and record reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.) Documentation is imperative to the lifecycle of an investigation and having the ability to support various ways to document and add context is necessary for SOC analysts.
Incident comments are extensively used by analysts to collaborate on incidents, document processes and steps and to enhance incidents with additional information either manually, or as part of a playbook.
In a previous installment, we covered the support for rendering HTML and Markdown in the Sentinel incident’s comment section. That functionality provides analysts the ability to provide immediate value for documenting with additional context and the capability to view the context in a more meaningful way. Learn more about markdown using this reference and the cheatsheet.
In this installment, we are delighted to provide an update on the incident comments feature and the several improvements that have been added to the incident comment section in the last few months which include:
Common use cases which are improved with these new additions:
These improvements will greatly increase analysts ability to enrich incidents with contextual information, document work processes, and overall reduce the time it takes to resolve and response to security incidents.
Try out the new comments improvements and let us know your feedback using any of the channels listed in the Resources. In the future, we will be looking to further increase our comments size and support additional types of data to be added to incidents.
Many thanks to @Ely_Abramovitch for the collaboration!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.