This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether the chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.
As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.). Documentation is imperative to the lifecycle of an investigation and having the ability to support various ways to document and add context is necessary for SOC analysts.
With that in mind, we are delighted to announce that we have added the support for rendering HTML and Markdown in the Sentinel incident’s comment section! This gives you the ability to provide immediate value for documenting with additional context and the capability to view the context in a more meaningful way. Learn more about markdown using this reference and the cheatsheet.
For eaxmple, it’s very easy to make some words **bold** and other words *italic* with Markdown. You can even [link to evidence!](http://google.com?q=evidence). The result would look like this:
Additionally, we increased the allowed size of comments from 1000 chars to 3000 chars. This will ensure that you have enough room to include contextual information to the comment field in Azure Sentinel.
Note: At the moment, we do not have an HTML/Markdown visual editor in the comments section. However, you can input HTML/Markdown directly through the UI using the Markdown syntax, or send it using a Logic App or the API and the comment section will render it. We plan to add an HTML/Markdown editor to the comments section. Additionally, we also plan to support editing and deleting of comments.
Use case: Formatted enrichments using playbooks
Incident enrichment is a major use case is the process of incident triage, investigation, and response. This feature can also be used in tandem with playbooks (LogicApps) to enrich incidents with external information.
The example below shows a comment added by an IP enrichment playbook that captures information from VirusTotal and adds it as a formatted text to the incident comment section:
Get started today!
We encourage you to utilize this new set of features to enhance the way that you are documenting the investigation process and adding contextual information to incidents.
Try it out and let us know what you think!