Have you looked at Tasks https://learn.microsoft.com/en-us/azure/sentinel/incident-tasks ?
Microsoft Sentinel - Add note to table or function in KQL
Hello
I was wondering if there is a way to attach a note to a specific table or function in KQL so that an analyst using the table will see it when they use it in a query?
I work for an MSSP providing managed Sentinel SIEM. Analyst will regularly create queries to investigate activity, however some log sources may have some filtering applied, e.g two servers regularly speaking to each other might have logs for certain ports filtered due to log volume.
In this example, If an analyst is unaware there is filtering in place either in Sentinel tables or at the log collector, they may mistakenly think the two servers are not communicating over a specific protocol. Being able to add a note specifying what logs are being filtered would be quite useful and would save time compared to checking documentation/logging config.
Is this currently a feature in Sentinel/KQL or is there something similar?
If not, i believe this would be a great addition for MSSP's, maybe an underline that provides more info when hovering over it, similar to the current red or purple underlines.
Thank you