An Azure Sentinel GitHub Reorg and a Playbook to Auto-close MCAS Alerts

I hear from customers quite a bit that it’s hard to identify what’s new for Azure Sentinel — both in new console features and in additional GitHub repository collateral.

Personally, I use the RSS feed to monitor what’s new. And, you can too. Load the following up in your favorite RSS reader…

Azure Sentinel GitHub Repo RSS feed: https://github.com/Azure/Azure-Sentinel/commits/master.atom

And, don’t forget about the semi-often updated What’s New tab in the Azure Sentinel console:

What’s new – in the Azure Sentinel console

Interestingly though, I’ve had a lot of interest from customers and others in a regular newsletter that outlines “What’s new,” so I’m considering it. Watch this space for the announcement if that happens.

That said, there’s some interesting goings-on in the official Azure Sentinel GitHub repository recently. There’s some reorganization for which you should be aware, but also there’s a timely Playbook for closing MCAS alerts from Azure Sentinel that should trend popular pretty quickly. I say this is timely because I’ve put up a couple posts recently (and will continue to do so) around tuning MCAS for Azure Sentinel. (See so far: Post 1, Post 2).

GitHub Repo Reorg

If you look at the Azure Sentinel GitHub repository (https://aka.ms/ASGitHub) today, there’s been some reorganization going on.

Check out the following areas for new content and a very welcome restructuring and categorization: DataConnectors, Parsers, Sample Data, Solutions, and Tools.

Look! Pretty, shiny things!

Close MCAS Alerts

In addition to the reorg, there’s a valuable new Playbook of interest. Don’t miss this one if you’re one of those who have longed for a way to close an MCAS alert when you close the Azure Sentinel Incident that’s based on the alert. When executed against the Incident, this new Playbook will close both the Azure Sentinel Incident AND the originating MCAS alert simultaneously. One small caveat about this, though, is that the Azure Sentinel Incident is closed without classification.

Check it out: Azure-Sentinel/Playbooks/Close-Incident-MCAS at master · Azure/Azure-Sentinel (github.com)

Make sure you follow the instructions provided on that page for generating the API token for MCAS to complete the Playbook configuration.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author