A Companion Chrome Browser Extension for Microsoft Sentinel that enables Desktop Notifications, Queue Filtering, and quick-hand OSINT tools

The extension will give desktop notifications for events in the queue. You will need a new tab dedicated exclusively to the queue (It does not always need to be viewable). The amount of notifications you receive is heavily dependent on your filters particularly whether you display only New or both New & Active incidents. It’s recommended to set your dedicated queue tab’s status filter to New.

Presently, the extension will notify of the following:

• New - A new incident has appeared in the queue that has not appeared before during your current session.
• xxxx claimed - An incident previously seen in your session, has had an Owner change.
• A ---> B - The severity of a previously seen incident in your session has changed from A → B (shows as New* on older versions)
• Updated - The status of an incident previously seen in your session has changed.

Instructions

1. Download the extension zip here and unzip to reveal its contents.
2. Open Chrome and click on the puzzle piece icon and select Manage Extensions
   
   
3. Enable Developer Mode in the upper right corner
   
   
4. Select “Load unpacked” and select the folder SentinelQueueNotifs that you opened in Step 1.
   
   
5. Verify the extension appears in the listing.
   
   
6. Open up a new tab and pull up the queue as you would normally (Including any filters)
   
   
7. To toggle the extension, Press ALT+A (Windows) or CMD+A (Mac).
8. Click on any alert. A red dotted line will surround the queue and a sample notification will display signifying the extension has been enabled.
   
   
9. Make sure Auto-refresh Incidents is enabled

🔍Filtering Alerts [out of queue] with RegEx

This extension also allows you to filter incidents by Title or Tags using regular expressions. The config can be accessed at any time by pressing ALT+C. Here is an example configuration:

doRemoveFilteredFromQueue - If this is set to true then new incidents with a title that is matched by your provided Regex patterns will be visually removed from the queue. These incidents will still technically be in the queue (untouched), but they will be hidden on your client.

Filter Title Regex Patterns - This is where you can provide a list of regex patterns to check each new title against. If an incident is matched, it will not send a notification. Additionally, if doRemoveFilteredFromQueue is true, this incident will be visually removed from queue.

In the above example, new incidents that begin with “Dummy -” or “TestAlert -”, have the tag "Completed", or have a tag beginning with "DoNot" will not send notifications and will be hidden in your dedicated queue.

Filter Tags Regex Patterns - This is where you can provide a list of regex patterns to check each tag against. If an incident is matched, it will not send a notification and if doRemoveFilteredFromQueue is true, this incident will be visually removed from queue.

Enable Desktop Notifications - Determines whether Desktop Notifications are enabled or not.

Only Notify On Latest - If this is enabled, you will only receive desktop notifications for the latest new entry in the queue. If this is disabled, the extension will process the entire queue and send notifications accordingly (new or modified incidents)

Abuse IPDB APIKey - Needed to provide OSINT on the IP in your clipboard quickly from your current page. Make an account on https://www.abuseipdb.com/ to get your API Key.

VirusTotal APIKey - Currently unused, but coming in later update.

Notes

Make sure you set this up before setting up the extension. If you want to make edits after the fact, you can click the Update button in the Extensions page to reload the contents of the extension. Just make sure you restart your browser.

Refreshing the page or changing filters will unhide any hidden incidents.

This does NOT actually remove anything from the queue, but removes the relevant html that displays the row of the specific alert.

📄 FAQ

• Feel free to minimize this window if needed.
• You are able to safely refresh and alter filters.
• Feedback and suggestions welcome 🍎!

Do not use this tab for normal use. The extension requires a dedicated tab to use for monitoring the queue for updates. As long as this tab exists and the extension is enabled, you’ll continue to receive notifications.

Troubleshooting

• The extension must be loaded before navigating to the queue. If you already pulled up the queue while setting up the extension, try reloading your page or restarting Chrome.
• If you are not seeing the red dotted line:
  • Try clicking on an Incident
  • Try holding ALT first then pressing A while still holding the key. Release the keys then click on an incident.
  • Check your active Extensions (See. Step #2), and ensure the extension appears there.
• If you are not receiving notifications, check your device’s notification settings
• If you are using Focus Assist you’ll need to manually allow Chrome to give notifications.
• For any other issues, feel free to put in an issue.