Forum Discussion
Investigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list.
This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc.
Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.
I figured out that this doesn't appear to be working (for me at least) when opening the workbook from the Sentinel integration to Microsoft 365 Defender/Defender XDR portal (security.microsoft.com). When I attempt to enter the data from this portal then the entry is ignored. I can enter the IP address and then click apply but the value remains as the unset.
If I use the standalone Sentinel portal then this appears to be working fine for me when I just want to use the Investigate IP Address or Investigate Account options, and manually enter a value not associated to an incident or alert entity.
That portal integration never existed when we created the workbook so wasn't tested, however it should "just work" but let me take a look if I get some time
For future reference, if you go into the workbook, select "Edit" and then select "Settings", there is a "Versions" tab where you can see the different versions that have been saved. I don't know how many versions it will hold and, sadly, there are no comments about what has changed, but you can view and restore old versions there.
Update: Found an older test Sentinel environment that has a previous version of the workbook where this was possible. Imported into my prod Sentinel and using that for the time being.
Do you mean this dialog box? This should let you overtype with another IP even if its not an Entity. We've not changed that section for a long time and the last update was 18mths ago.
