How do I Format Azure Sentinel Comments?
Clean up comments with a text editor and HTML tags.
Azure Sentinel allows analysts to add comments to incidents, but unfortunately in preview state we still don’t have the ability to format the text in the comment boxes. When an analyst leaves a comment, the words chop in half as soon as they reach the character limit of the comment text box.
In the first example image, a normal comment is displayed how it is formatted in the Azure Sentinel incident side-menu. The words “evaluated”, “there”, and “left” were all chopped into pieces because of the character limit. In the second example image the same thing happens with the word “excessive” in the Azure Sentinel View Full Details menu.
In this blog, we show how an analyst can edit their comments to get around the character limit restriction. By making a few quick edits to the comment, analysts can make their comments look clean, readable, and professional.
The first step for an analyst is to write out their comment in a text editor that shows the digit length of the text. The regular Notepad app built into all major operating systems has this feature, so no extra software is required. Once the comment is typed and double checked, the analyst should look at the “Col” or number of horizontal characters.
They should search for “62” which is the maximum value for the Azure Sentinel side-menu comments. The analyst should then use the enter key to separate the lines as soon as one of the words exceeds the 62-character limit.
HTML Break Tags
Unfortunately, Azure Sentinel does not recognize using the enter key as using a new line. Analysts will have to use the HTML break tag after their text to get the text to go to another line. The exact text they should paste after every line is “</br>” and it does not matter if the break tag exceeds the vertical character limit (Col).
Some of the HTML experts reading this blog may be thinking to themselves, “slashes are optional for break tags”. Normally they would be right, but Sentinel is picky about its break tags. The “</br>” version is the only way of writing a break tag that behaved as intended.
62 vs 128 Character Length
The 62-character length is used for comments that are intended to fit in the Comments section of the Azure Sentinel incident side-menu. If an analyst does not care about the side-menu or if they have a particularly large comment, they should use this method with a 128-character length so that it will fit in the View Full Details menu. The example image shows what the same comment looks like with both 62 and 128 in the View Full Details menu.
We will continue to share best practices and lessons learned in future posts on Azure Sentinel usability in customer environments. Azure Sentinel is constantly adding new features in preview, and the analysts at CyberMSI are ready with creative solutions when the preview features do not work as intended.
In closing, consider these three questions when using Azure Sentinel comments in your organization:
- Do we take full advantage of the comments formatting in Azure Sentinel?
- Will formatting issues affect the planned synchronized assignment and commenting with the Microsoft 365 Defender products?
- Does this formatting issue affect how our security automations will leave comments on our incidents?