Sentinel Watcher — Browser Extension
Sound + notification alerts for new Microsoft Sentinel incidents.
Works on portal.azure.com and security.microsoft.com using your existing browser session.
No API keys or app registrations required.
Install (Chrome / Edge)
- Unzip this folder somewhere permanent (do not delete it after loading).
- Open Chrome → go to
chrome://extensions
Or Edge → go to edge://extensions
- Enable Developer mode (toggle, top right).
- Click Load unpacked.
- Select the
sentinel-watcher folder.
- The extension icon appears in the toolbar.
How it works
- You must have at least one Sentinel portal tab open.
- Azure Sentinel:
portal.azure.com
- Defender XDR:
security.microsoft.com
- The extension intercepts the XHR/fetch calls the portal already makes to load incident data.
- Every 60 seconds, it pings open portal tabs to trigger a data refresh.
- If a new incident ID is detected that it has not seen before, it fires:
- A browser notification popup (title + severity)
- An audio tone (severity-coded: more urgent = higher pitched / more pulses)
The extension tracks seen incident IDs in local storage. It will not re-alert on the same incident.
Sound codes
| Severity |
Pattern |
| High |
3 rapid ascending double-beeps |
| Medium |
2 medium-pitched double-beeps |
| Low |
1 soft double-beep |
| Informational |
1 quiet single tone |
Settings (click extension icon)
- Enable/pause monitoring (master toggle)
- Toggle sound and browser notifications separately
- Adjust volume
- Filter by severity (only alert on High + Medium, for example)
- View alert log (last 100)
- Reset seen incident IDs (use this when you switch tenants)
Known limitations
- Only detects incidents while a portal tab is open. Close all tabs = no detection.
- Uses session-based interception, not a direct API call. If Microsoft changes their portal’s internal API shape, the parsing may need updating.
- Sound requires a user interaction on the tab first (browser security). If the tab has been open a while this is usually fine.
- Tested on Chrome 124+ and Edge 124+. Firefox is not supported (Manifest V3 differences).
Multi-tenant usage
You can have tabs for multiple tenants open simultaneously.
The extension monitors all open Sentinel tabs at once. The alert log shows which portal (Azure Sentinel vs Defender XDR) each incident came from.
To reset tracked IDs when switching tenants: Status tab → Reset button next to “Tracked incident IDs”.