How to generate Sentinel incidents to test playbooks?

%3CLINGO-SUB%20id%3D%22lingo-sub-1602703%22%20slang%3D%22en-US%22%3EHow%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602703%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20tool%20or%20way%20to%20generate%20specific%20incidents%20in%20Sentinel%20so%20that%20we%20can%20test%20playbooks%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20I%20am%20having%20to%20actually%20attempt%20to%20brute%20force%20a%20resource%20to%20generate%20an%20incident%2C%20is%20there%20not%20an%20easier%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1602703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603617%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756497%22%20target%3D%22_blank%22%3E%40ReccoB%3C%2FA%3E%26nbsp%3BYou%20can%20use%20the%20script%20found%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FPowerShell-script-to-0823e09d%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FPowerShell-script-to-0823e09d%3C%2FA%3E%26nbsp%3Bwith%20some%20modifications%20to%20upload%20some%20dummy%20data%20into%20a%20custom%20log%2C%20create%20an%20analytics%20rule%20that%20looks%20for%20that%20information%2C%20and%20then%20assign%20a%20Playbook%20to%20that%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20that%20this%20can%20only%20write%20to%20a%20custom%20log%20hence%20the%20need%20for%20a%20new%20analytics%20rule%20(or%20change%20an%20existing%20one%20to%20look%20at%20the%20custom%20log)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603680%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20generate%20Sentinel%20incidents%20to%20test%20playbooks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603680%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756497%22%20target%3D%22_blank%22%3E%40ReccoB%3C%2FA%3E%26nbsp%3BYou%20could%20also%20try%20this%20one%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F08%2F13%2Fazure-sentinel-analytics-rule-to-keep-track-of-cloud-shell%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F08%2F13%2Fazure-sentinel-analytics-rule-to-keep-track-of-cloud-shell%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20you%20have%20to%20do%20is%20initiate%20a%20Cloud%20Shell%20instance%20and%20an%20Incident%20will%20be%20created%20with%20the%20entities%20you%20need%20for%20investigations%2C%20automation%2C%20etc.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is there a tool or way to generate specific incidents in Sentinel so that we can test playbooks?

 

Right now I am having to actually attempt to brute force a resource to generate an incident, is there not an easier way?

5 Replies

@ReccoB You can use the script found here https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d with some modifications to upload some dummy data into a custom log, create an analytics rule that looks for that information, and then assign a Playbook to that rule.

 

Keep in mind that this can only write to a custom log hence the need for a new analytics rule (or change an existing one to look at the custom log)

@ReccoB You could also try this one:

 

https://secureinfra.blog/2020/08/13/azure-sentinel-analytics-rule-to-keep-track-of-cloud-shell/

 

All you have to do is initiate a Cloud Shell instance and an Incident will be created with the entities you need for investigations, automation, etc.

@Singanna Just remember there are two types of playbooks (the incident based ones came out after that article was written) and, as of right now, only those that use the Alert trigger can be triggered manually but those cannot be added to Automation rules.

 

The playbooks that use the incident trigger cannot be triggered manually but can be added to Automation rules.

Hi Gary,
Thanks for the clarification.