Parameterized Alerts in Azure Sentinel


A few months ago, Microsoft introduced a new functionality in the Sentinel Analytics Rules which can be used to dynamically define values in incidents. Instead of hardcoding values like the name of the incident or its description, one can specify the content based on the KQL-query used for alerting. This is an option I needed in a lot of other SIEMs in the past, but most of the time it was not there.
Read more