Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to generate Sentinel incidents to test playbooks?

Copper Contributor

Is there a tool or way to generate specific incidents in Sentinel so that we can test playbooks?

 

Right now I am having to actually attempt to brute force a resource to generate an incident, is there not an easier way?

9 Replies

@ReccoB You can use the script found here https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d with some modifications to upload some dummy data into a custom log, create an analytics rule that looks for that information, and then assign a Playbook to that rule.

 

Keep in mind that this can only write to a custom log hence the need for a new analytics rule (or change an existing one to look at the custom log)

@ReccoB You could also try this one:

 

https://secureinfra.blog/2020/08/13/azure-sentinel-analytics-rule-to-keep-track-of-cloud-shell/

 

All you have to do is initiate a Cloud Shell instance and an Incident will be created with the entities you need for investigations, automation, etc.

@Singanna Just remember there are two types of playbooks (the incident based ones came out after that article was written) and, as of right now, only those that use the Alert trigger can be triggered manually but those cannot be added to Automation rules.

 

The playbooks that use the incident trigger cannot be triggered manually but can be added to Automation rules.

Hi Gary,
Thanks for the clarification.
This link is bad now.
Another option is to use the "datatable" command in a dummy analytic rule that will generate exactly what you need to test in your playbook and then switch to your real analytic rule when your testing is complete.
You can use my tool to generate sample CEF logs in a Linux machine but you'll need it connected to Sentinel.

https://github.com/mlaraibkhan/CEF-LogGenerator