In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.
While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.
Get all comments in an Azure Sentinel incident programmatically
For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is not really much helpful it is still play an important role.
In this article, let’s explore a way to extract all comments in an Azure Sentinel incident. You will be playing with both PowerShell and Azure CLI (+ Curl) to work with Azure Sentinel comment API.
Continue reading →