Blog Post

Microsoft Sentinel Blog
2 MIN READ

What’s New: HTML and Markdown support for incident comment

Cristhofer Munoz's avatar
Cristhofer Munoz
Icon for Microsoft rankMicrosoft
Oct 08, 2020

 

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether the chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.

 

As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.). Documentation is imperative to the lifecycle of an investigation and having the ability to support various ways to document and add context is necessary for SOC analysts.

 

With that in mind, we are delighted to announce that we have added the support for rendering HTML and Markdown in the Sentinel incident’s comment section! This gives you the ability to provide immediate value for documenting with additional context and the capability to view the context in a more meaningful way. Learn more about markdown using this reference and the cheatsheet.

 

For eaxmple, it's very easy to make some words **bold** and other words *italic* with Markdown. You can even [link to evidence!](http://google.com?q=evidence). The result would look like this:

 

 

Additionally, we increased the allowed size of comments from 1000 chars to 3000 chars. This will ensure that you have enough room to include contextual information to the comment field in Azure Sentinel.

 

Note: At the moment, we do not have an HTML/Markdown visual editor in the comments section. However, you can input HTML/Markdown directly through the UI using the Markdown syntax, or send it using a Logic App or the API and the comment section will render it. We plan to add an HTML/Markdown editor to the comments section. Additionally, we also plan to support editing and deleting of comments.

 

How to:

 

 

Use case: Formatted enrichments using playbooks

Incident enrichment is a major use case is the process of incident triage, investigation, and response. This feature can also be used in tandem with playbooks (LogicApps) to enrich incidents with external information.

 

The example below shows a comment added by an IP enrichment playbook that captures information from VirusTotal and adds it as a formatted text to the incident comment section:

 

 

Get started today!

 

We encourage you to utilize this new set of features to enhance the way that you are documenting the investigation process and adding contextual information to incidents. 

 

Try it out and let us know what you think!

 

 

Updated Nov 03, 2021
Version 2.0
investigation
microsoft sentinel
security
  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Dec 14, 2021

    Hi Cristhofer Munoz ,

     

    I've built a 'playbook advisor' playbook, which adds comments and recommends which playbooks could be run based on the alert name and the entities available.

    It would be amazing if there's a way to add a 'Run' button to the comments, but I don't know if it's possible to create such a url to point to the playbook for that incident and execute it?

     

    Thanks.

     

  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Dec 14, 2021

    A tip for anyone trying this in a playbook.

    If you add html markups to the Azure Sentinel "Add comment to incident" operator, it may not show up in the comments as you expect.

    Likely because that operator has a built in editor, so it expects you to format using its own editing tools.

    However if you create a variable and add your markups inside the variable they will be allowed.

    eg. create a string variable named 'test1' and add this content:

    <h1> Testing </h1>\n<table>\n <tr>\n <th>Person 1</th>\n <th>Person 2</th>\n <th>Person 3</th>\n </tr>\n <tr>\n <td>val1</td>\n <td>val2</td>\n <td>val3</td>\n </tr>\n </tr>\n</table>

     

    Then add test1 to the "Add comment to incident" operator.

     

    Resulting comment:

     

  • LiamWBA's avatar
    LiamWBA
    Copper Contributor
    Feb 15, 2024

    Cristhofer Munoz 

    I am having an absolute nightmare with this formatting! It's all over the shop! Here is a snippet of my generated output in a logic app (omitted for brevity):

     

    <!DOCTYPE html>
<html>
<h2>IPs in Sign-in Logs Reputations</h2>
<p>Logic has checked the reputations of each IP present in user(s) sign in logs.</p><span style="font-family: tahoma">
    <h3><u><strong>abuseIP DB Results</strong></u></h3>
</span>
<table>
    <thead>
        <tr>
            <th>IP Address</th>
            <th>ISP</th>
            <th>Country</th>
            <th>Usage Type</th>
            <th>Related Domains</th>
            <th>Reported Domains Names</th>
            <th>Abuse Confidence Score</th>
            <th>Is Public</th>
            <th>Is Whitelisted</th>
            <th>Total Reports</th>
            <th>Distinct Reports</th>
            <th>Last Report</th>
            <th>Full Report URL</th>
        </tr>
    </thead>
    <tbody>
        <tr style="background-color:green;">
            <td>******</td>
            <td>Amazon Data Services UK</td>
            <td>GB</td>
            <td>Data Center/Web Hosting/Transit</td>
            <td>amazon.com</td>
            <td>["ec2-*****.eu-west-2.compute.amazonaws.com"]</td>
            <td>0</td>
            <td>True</td>
            <td>False</td>
            <td>0</td>
            <td>0</td>
            <td>2023-10-05T12:45:29+00:00</td>
            <td><a href="https://www.abuseipdb.com/check/******">Full Report</a></td>
        </tr>
    </tbody>
</table><br>
<p><span style="font-family: tahoma"><u><strong>IP Quality Score Results</strong></u></span><br />
<table>
    <thead>
        <tr>
            <th>IP</th>
            <th>Is Crawler</th>
            <th>Is VPN</th>
            <th>TOR?</th>
            <th>Fraud Score</th>
        </tr>
    </thead>
    <tbody>
        <tr style="background-color:crimson;">
            <td>****</td>
            <td>False</td>
            <td>True</td>
            <td>False</td>
            <td>100</td>
        </tr>
    </tbody>
</table>
</html>

     

    I have grabbed this out of the logic app and tested it in a browser, it looks perfect!

     

    This is what my incident comment looks like:

    Stripey tables, one row formats but the next row doesn't. I think this has to be a bug because when I inspect the page in the browser the correct formatting is applied to the HTML: