Microsoft Azure Sentinel 101: Update alert descriptions dynamically without limits — Unlimited meta data options with helpful content.

In this article, we will walk through how to get more meta data and items in the alert description to help your analysis out with what happened and allow for tagging if desired.

Here is the error message we are going to bypass:

Query

Let’s open our analytic rule and update the query to the following:

What we do with the KQL is simple. We first define our variable we wish to append too:

| extend AlertDescription = "TRUVIS - LINUX - SSH LOGIN "

Next we can add context based on the account seen. So more powerful account, lets change what happens:

| extend AlertDescription = iif(User contains "root",strcat(AlertDescription, "for", User, "was seen as successful. This should be investigated with greater priority as this the root account."),strcat(AlertDescription, "for", User, "was seen as successful. This should be investigated."))

Next lets add more details:

| extend AlertDescription = strcat(AlertDescription, " The login came from: ", IPaddr, " and the access happened on", Computer)

Finally, lets set some tagging for our logic adds to trigger on. We are using out alert Severity from a previous guide to dynamically add the tag:

| extend AlertDescription = strcat(AlertDescription, "\r\n AS:",AlertSeverty," \r\n TLP:RED")

Testing we can see this working:

Analytic Rule

Lets update the rule and the key to the description:

Testing an alert firing we can now see we have all the information we need:

Hopefully this has helped get you started and give you a bunch of ideas on how to build out alerts with lots of enrichment for your SOC Teams and allow tagging for automations!

—

☕ Like what you read? Did it help you?

Send some coffee and love https://buymeacoffee.com/truvis :)
Your support helps pay for licenses, research & development, and other costs that allow me to bring you new guides and content!

❗If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and solutions to complicated real world problems and jump start your career! New content drops daily/weekly along with tips and tricks :)

👉 W: https://truv.is
👉 T: https://twitter.com/thattechkitten
👉 Y: https://www.youtube.com/@TRUValueInformationSecurity
👉 G: https://github.com/truvis
👉 L: https://www.linkedin.com/in/truvisthornton
👉 M: https://medium.com/@truvis.thornton