Forum Discussion
Open Azure workbook from sentinel incident using sentinel playbooks
But if you want to directly navigate from the incident to that workbook, I see no way to implement that linking into the incident view or incident actions.
You can using the "Incident Overview" Workbook. You can make any change you like (even totally replacing it - easiest to do in the advanced editor, and paste over the JSON file), you just have to keep the NAME the same.
I regularly replace with "Investigation Insights" (which also picks up the Incident Number, as does Incident Overview for you), and allow you to drill down by clicking the returned data: Announcing the Investigation Insights Workbook - Microsoft Community Hub
Instructions you see when you EDIT "Incident Overview":
The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:
- General information
- Entity data
- Triage time (time between incident creation and first response)
- Mitigation time (time between incident creation and closing)
- Comments
- Remediation information from the Alerts or from a Watchlist - setup readme: https://github.com/Azure/Azure-Sentinel/wiki/SOC-Process-Framework
Customize this workbook by saving and editing it. You can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.
- Thats a great idea, thank you Clive!