Activate and customize Microsoft Sentinel workbook templates

When we are talking about templates, it's important to see the following information, you will see this inside your Sentinel workspace.

Once you Click on Continue, it will start the migration and show the following screen.

You will see Updates for the content, after the migration and your done.

See the more information on Learn

Out-of-the-box (OOTB) content centralization changes - Microsoft Sentinel

This article describes upcoming centralization changes for out-of-the-box content in Microsoft Sentinel.

So, now when that is out of the way, let's start with Workbooks

What is needed?

You must have Workbook reader or Workbook contributor rights on the Microsoft Sentinel workspace's resource group.

The workbooks that you view in Microsoft Sentinel are saved in the resource group of the Microsoft Sentinel workspace and are marked by the workspace in which they were generated.

The majority of the data connections used by Microsoft Sentinel to ingest data come with their own workbooks. Tables and visualizations, such as bar and pie charts, can provide insights into the data being consumed. Instead of utilizing the established templates, you may create your own workbooks from start.

Workbook main page

On the Templates page, you may access existing workbook templates. Some of the workbooks can be saved for later use to your chosen location.

And they are then accessible under the My workbooks tab.

Inside the workbook you will find queries that are visually presented and can be modified.

If you want to see the query and edit it, you can do it from here

And you will the query and can save these queries.

Create custom workbooks

Aside from utilizing pre-made templates, you have the option to craft custom workbooks from the ground up, enabling the creation of interactive reports containing text, analytical queries, metrics, and parameters.

When you create Custom workbooks, you can follow the following guidelines

  1. Define Objectives: Clearly outline your report's goals.
  2. Structure Workbook: Plan the layout and sections.
  3. Data Preparation: Clean and organize your data.
  4. Design and Format: Make it visually appealing.
  5. Text and Descriptions: Add explanations.
  6. Analytic Queries: Use formulas and pivot tables for analysis.
  7. Interactivity: Add filters, checkboxes, and slicers.
  8. Parameters: Allow user customization.
  9. Charts and Graphs: Visualize data.
  10. Testing and Feedback: Ensure functionality.
  11. Documentation: Provide user instructions.
  12. Security and Sharing: Set access permissions.
  13. Regular Updates: Plan for maintenance.

And you can create a new Workbook from here.

It will open a page and you can select Edit

Once editing, you can add different parts and reorder the visuals

If you edit the Text field, it's in Markdown format. If you are not familiar with Markdown, you should read this article from GitHub https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax

Or if you prefer JSON, you can open the Advanced editor

You can also edit the queries or create your own.

NameDescription
Run QueryUse this option to test the result of the query.
SamplesMicrosoft provides sample code that contains sample queries that you can add to the workbook.
Data SourceUse this option to specify the data source for the query.
Resource typeUse this option select the type of resource.
Log Analytics workspaceUse this option if you want to query data against more than one resource.
Time RangeUse this option to specify a time range parameter to use in the query.
VisualizationUse this option to choose a specific visualization or choose Set by query to present the data in a different format.
SizeUse this option to choose the size of the visualization element.

If you need inspirations on the Workbooks, you can get it from this Learn article

Commonly used Microsoft Sentinel workbooks

Learn about the most commonly used workbooks to use popular, out-of-the-box Microsoft Sentinel resources.

Configure advanced visualizations

As we learned in the previous chapter, you can use Workbook to provide advanced visualization on your queries.

Here are step-by-step guidelines for creating a new workbook from scratch:

  1. Begin by navigating to the "Workbooks" section and select "Add workbook."
  2. Click the "Edit" button within the workbook toolbar to tailor the workbook to your specific requirements.
  3. Incorporate text, queries, and parameters as needed to enhance the workbook's functionality.
  4. When constructing a query, ensure that the data source is set to "Logs," the resource type is configured as "Log Analytics," and then specify the relevant workspace(s).
  5. Finally, choose "Save" to preserve your modifications.

Alternatively, if you wish to employ a workbook template:

  1. Visit the "Workbooks" section and select "Templates" to access a list of installed workbook templates.
  2. To identify templates pertinent to the data types you've connected, check the "Required data types" field within each workbook; it displays the relevant data type alongside a green checkmark if you're already streaming relevant data to Microsoft Sentinel.
  3. Opt for "View template" to visualize the template populated with your data.
  4. To modify the workbook, select "Save" and then indicate where you want to save the JSON file for the template.
  5. Choose "View saved workbook."
  6. Click the "Edit" button in the workbook toolbar to tailor the workbook to your specific requirements.
  7. Upon completion, select "Save" to retain your changes.

Keep in mind that you must possess at least "Workbook reader" or "Workbook contributor" permissions within the resource group of the Microsoft Sentinel workspace. Workbooks you encounter in Microsoft Sentinel are stored within the resource group of the respective workspace and are tagged by the workspace in which they were created. For more in-depth guidance on customizing workbooks, consult the "Create interactive reports with Azure Monitor Workbooks" resource.

Please note that the specifics of using workbooks in Microsoft Sentinel may evolve, so it's advisable to refer to the latest Microsoft Sentinel documentation for up-to-date instructions and details.

Here is an excellent blog on the data visualization from Matt Zorich (https://twitter.com/reprise_99)

A picture is worth a thousand words – visualizing your data.

I am a very visual person. When looking at data I love to look at the trend of that data and see if it tells a story. If you are using Sentinel, Log Analytics or Azure Data Explorer this can be par…

Track incident metrics using the security operations efficiency workbook

A pre-built worksheet in Microsoft Sentinel that offers visualizations and analytics for incident management is called the security operations efficiency workbook. By giving current information on incident metrics, the workbook is designed to assist security teams in monitoring the effectiveness of their security operations center (SOC).

It's part of a template called SOC Handbook and it contains in total 13 different workbooks that are displayed below.

With this collection you should be able to visualize your SOC operations inside Sentinel Workspace

Soc Operations Efficiency needs the following Data sources.

  • SecurityAlert
  • SecurityIncident

And it contains the following metrics.

  • Incident created over time
  • Incidents created by closing classification, severity, owner, and status
  • Mean time to triage
  • Mean time to closure
  • Incidents created by severity, owner, status, product, and tactics over time
  • Time to triage percentiles
  • Time to closure percentiles
  • Mean time to triage per owner
  • Recent activities
  • Recent closing classifications

Here is an excellent blog on this topic, explaining the different metrics and how you can use them for SOC manager reporting purposes.

Closure

If you want to read more on Sentinel Workbooks, here is a perfect place for you, just click the picture below.

And what we learned in this section?

When dealing with templates, the OOTB Content Centralization is important topic. Not for the test but in real-life https://learn.microsoft.com/en-us/azure/sentinel/sentinel-content-centralize

Roles needed for Workbooks: You must have Workbook reader or Workbook contributor rights on the Microsoft Sentinel workspace’s resource group.

You can edit the text inside the Workbooks in Markdown or JSON format.

For Custom workbooks the steps to success:

  1. Define Objectives: Clearly outline your report’s goals.
  2. Structure Workbook: Plan the layout and sections.
  3. Data Preparation: Clean and organize your data.
  4. Design and Format: Make it visually appealing.
  5. Text and Descriptions: Add explanations.
  6. Analytic Queries: Use formulas and pivot tables for analysis.
  7. Interactivity: Add filters, checkboxes, and slicers.
  8. Parameters: Allow user customization.
  9. Charts and Graphs: Visualize data.
  10. Testing and Feedback: Ensure functionality.
  11. Documentation: Provide user instructions.
  12. Security and Sharing: Set access permissions.
  13. Regular Updates: Plan for maintenance.

Security operations efficiency workbook in part of collection called SOC Handbook that has 13 different Workbooks and it contains the following metrics.

  • Incident created over time
  • Incidents created by closing classification, severity, owner, and status
  • Mean time to triage
  • Mean time to closure
  • Incidents created by severity, owner, status, product, and tactics over time
  • Time to triage percentiles
  • Time to closure percentiles
  • Mean time to triage per owner
  • Recent activities
  • Recent closing classifications

Link to main post

Exam cram series for SC-200 exam

Well, finally it’s time for a new part to my study series for Microsoft Security certifications. I have published guides for SC-100 and SC-300 and now it’s times for the “little” ‘sis between. Hopefully you will find this helpful, giving back to the community, once again! Candidates for the SC-200 exam should have a foundational
This image has an empty alt attribute; its file name is image-123.png

Archives