Skip to content

Sentinel Custom Alert Details

Have you ever wished that Sentinel Incidents and alert would show a little more info than just the generic title and description you entered in the Analytics Rule? Well, there is a way and I'll show you all about it in this post!

Intro

First off, let's take a look into a generic Analytics Rule: Generic Analytics Rule Overview Opening it, you can see that it has a static name and description, as we are accustomed to.

Generic Analytics Rule Details

And, of course, all incidents created by the rule have the same title and description as well: Generic Analytics Rule Incident Generic Analytics Rule Incident Details

Custom Alert details

Now, let's dive into the so-called Alert details! You can find them in the Analytics Rule wizard under Alert enhancement --> Alert details: Alert details overview

Here you can see, that Sentinel allows you to enter a customized title and description for the alert.

Note

This is only for the alerts, not the incident. Later in this post I will show you what difference that makes.

You can access all columns from the rule query by putting the column name into double braces {{ }}

Alert details with values

Warning

The form has a weird kind of IntelliSense. As soon as you write the first brace you have to choose from the list (you can type). Don't write a secong bracket, IntelliSense will always do that. Otherwise you'll end up with too many brackets and the variable will not work. "Intelli"Sense

Save all that and you're good to go!

The result

All new incidents now have our custom title: Alert details with values

As I mentioned earlier, the custom details are actually not for the incident, but for the alert the incident is based on. Weirdly, Sentinel uses the alert's title for the incident, but not the description. So we don't see our nice description in the incident, but when we open the alert as you can see below. This is the only "restriction" in all this. Alert details with values

Closing thoughts

In my opinion one should use the custom alert details in almost any rule. It's an easy option to accelerate incident response. Seeing more details in just the title goes a long way. Shaving a minute of querying off here and there amount to some nice time savings overall. My example is of course not the best since all details would be surfaces by proper entity mapping - which is even more important- but you can use the custom alert details to focus on the most relevant details only.

So, should you use custom alerts in every Analytics Rule? Well, it depends. I would recommend using it to offer more precise information, e.g. when entity mapping shows multiple users, or information that entitiy mapping can't show because it doesn't support the fields you want to promote. Also some incidents simply benefit from a more concise title, but not all. Long story short: You don't have to do this for all Analytic Rules, but probably for about half of them. I suggest just trying it out, then you will find your modus operanid.