How do I Format Microsoft Sentinel Comments?

March 20, 2021|Nate Ruzicka

Clean up comments with a text editor and HTML tags.

Microsoft Sentinel allows analysts to add comments to incidents, but unfortunately in preview state we still don’t have the ability to format the text in the comment boxes. When an analyst leaves a comment, the words chop in half as soon as they reach the character limit of the comment text box.

In the first example image, a normal comment is displayed how it is formatted in the Microsoft Sentinel incident side-menu. The words “evaluated”, “there”, and “left” were all chopped into pieces because of the character limit. In the second example image the same thing happens with the word “excessive” in the Microsoft Sentinel View Full Details menu.

In this blog, we show how an analyst can edit their comments to get around the character limit restriction. By making a few quick edits to the comment, analysts can make their comments look clean, readable, and professional.

Text Editor

The first step for an analyst is to write out their comment in a text editor that shows the digit length of the text. The regular Notepad app built into all major operating systems has this feature, so no extra software is required. Once the comment is typed and double checked, the analyst should look at the “Col” or number of horizontal characters.

They should search for “62” which is the maximum value for the Microsoft Sentinel side-menu comments. The analyst should then use the enter key to separate the lines as soon as one of the words exceeds the 62-character limit.

HTML Break Tags

Unfortunately, Microsoft Sentinel does not recognize using the enter key as using a new line. Analysts will have to use the HTML break tag after their text to get the text to go to another line. The exact text they should paste after every line is “</br>” and it does not matter if the break tag exceeds the vertical character limit (Col).

Some of the HTML experts reading this blog may be thinking to themselves, “slashes are optional for break tags”. Normally they would be right, but Sentinel is picky about its break tags. The “</br>” version is the only way of writing a break tag that behaved as intended.

62 vs 128 Character Length

The 62-character length is used for comments that are intended to fit in the Comments section of the Microsoft Sentinel incident side-menu. If an analyst does not care about the side-menu or if they have a particularly large comment, they should use this method with a 128-character length so that it will fit in the View Full Details menu. The example image shows what the same comment looks like with both 62 and 128 in the View Full Details menu.

We will continue to share best practices and lessons learned in future posts on Microsoft Sentinel usability in customer environments. Microsoft Sentinel is constantly adding new features in preview, and the analysts at CyberMSI are ready with creative solutions when the preview features do not work as intended.

In closing, consider these three questions when using Microsoft Sentinel comments in your organization:

Do we take full advantage of the comments formatting in Microsoft Sentinel?
Will formatting issues affect the planned synchronized assignment and commenting with the Microsoft 365 Defender products?
Does this formatting issue affect how our security automations will leave comments on our incidents?

How Can We Help?

Main Contact Form

First Name

Last Name

Company Email

Company Name

Work Phone

Country

How can we help?

Additional Information

By checking this box, you consent to CyberMSI using the information you provided to subscribe you to communications and content from CyberMSI and its partners relevant to your request. Such communications may be in the form of email, phone, or postal service. You may unsubscribe at any time. CyberMSI respects your privacy: for additional details on how CyberMSI uses and protects your information, click here to view our Privacy Policy.