[Feature] Pivot Links - Comment with static links of entites to quickly find the entity in the source Microsoft tool #462
Description
Is your feature request related to a problem? Please describe.
Our SOC asked me to build a "Pivot Links" comment enrichment to provide direct links to entities. This is usefule for when they have to leave Sentinel to search for data in another Microsoft product. This is just a playbook that comments with static links to entities. This saves time in manually going to the other Microsoft tool and searching for the entity in question.
Describe the solution you'd like
Only link I've added so far is for Emails which uses the NetworkMessageId from the "Mail message" entity. This is instead of the multiple steps required in searching Defender XDR for the email.
The Sentinel "Mail message" entity has the NetworkMessageId which can be added to a URL to direct link to that emaill in Defender XDR.
https://security.microsoft.com/threatexplorerv3?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-NetworkMessageId=<NMID in question>
You can add that as a hyperlink of the Email Subject by grabbing the subject with the query
EmailEvents
| where TimeGenerated > ago(89d)
| where NetworkMessageId == "NMID in question"
| summarize arg_max(TimeGenerated, *) by NetworkMessageId
| project Subject
Describe alternatives you've considered
Manually searching
Additional context
Happy to share the currently playbook if that would be useful.
Wanted to share this as an idea that could be useful for other entity types for when users have to pivot out of Sentinel to other Microsoft products.