Azure Sentinel — Alerts

This article is the 6th in the “Azure Sentinel” series. It started with a post in Day 1 followed by Day 2, Day 5, Day 18 and Day 28 articles published on Linkedin and Medium. I’ve decide to change the title to something more relevant to the content, so this article is about Azure Sentinel alerts.

In my last article I promised that I will discuss Sentinel alerts and playbooks but it turns out that that’s a subject too wide so we’ll just describe the creation of alerts.

Those that are hands-on with Azure Log Analytics may already know that every time you create and run a Kusto query, you have the option of converting that query into an alarm. Typically, from the Logs interface, you are just a few clicks away from running the search that is to be converted into an alarm.

However, this will add the alert in Azure Monitor and not Sentinel. The alerts will work but there will be no integration with Sentinel and the features that use alerts (such as cases). To configure a Sentinel Alert, one has to navigate to the Azure Sentinel Analytics configuration page:

Selecting Analytics we end up with the list of alerts that are currently defined and the options to manage…