Forum Discussion
Solved
Linking a workbook to an incident/analytics rule
Hi all,
I would like to link a custom workbook to an incident raised by an analytics rule. By default the "incident workbook" link is shown on the incident details like this:
I would like to add another workbook to speed up investigation. As a bonus it would be great if the entities could be passed over to this workbook.
I'm not sure if this is possible, I couldn't find any information about it. Any help would be appreciated.
Thanks!
- Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).
You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/
Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.
4 Replies
- Hello,
Please see this for the method you need: https://techcommunity.microsoft.com/t5/microsoft-sentinel/where-is-incident-overview-workbook-stored/m-p/3375494
Also see the built-in template Workbook called "Investigation Insights" as that was designed to be stand-alone or a replacement for the default one. It receives the Incident Number passed to it when you open it.- Hi Clive,
Thanks, much appreciated!
Am I correct that this is a global workbook and that it's not possible to change a workbook for a specific incident?- Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).
You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/
Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.
