Within the world of security operations, dashboards and visual representation of data, trends, and anomalies are essential for day to day work. In Azure Sentinel, Workbooks contain a large pool of possibilities for usage, ranging from simple data presentation, to complex graphing and investigative maps for resources. Out of the box, Sentinel already comes with dozens of Workbooks. It also allows for custom workbooks to be created based on the user’s vision and use case. The purpose of this blog is to provide examples and describe some of the more advanced uses for Workbooks in Sentinel. We have also created a sample Workbook that can be accessed here that can be used to follow along.
If you would like to watch a presentation on the uses of Workbooks, you can check out our Security Community webinar on this topic here.
Pre-requisites:
Before we can dive into the advanced topics, it is important to recap the basics.
Advanced
Text
Text within a workbook is a simple section where text can be added to describe data, leave comments, instructions, and more. The purpose of this is to allow for user input to be listed on the workbook. Text can be used to help maximize the effectiveness of visuals by noting important areas to check, procedures to follow, or items to keep an eye out for. An example would be adding a note in text near a time chart to watch for over 100 failed login attempts.
To deploy text:
Parameters
Parameters allow for the selection of values that will be applicable to the whole Workbook. This can be used for time ranges, subscriptions, workspaces, filtering, and more. The parameters are presented as a drop-down list which can be placed at the top of the Workbook or just above graphs. Each selection can provide impact on which data is presented or how it is queried.
To deploy parameters:
*Note: If the parameter has a '!' by it, the value has not been set and needs to be done.
Grids
Grids are where logs and other data items are listed in a rowed fashion. This is where data that is queried is listed. This data is what can be transformed into graphs, time charts, hives, and more. Each grid is made up of a Kusto query that runs when the Workbook is accessed. The queries can range in time, data tables, etc.
To deploy grids:
Graphs and Charts
Graphs are a type of visual representation for data in Workbooks. These can vary between pie graphs to bar graphs. This is how data is visualized to show trends, comparisons, and more. These visuals can assist with finding potential malicious events, unhealthy trends, or outliers in performance.
To deploy graphs:
*Example query*
SecurityAlert
| where TimeGenerated >= ago(30d)
| summarize count() by ProviderName
| render barchart
Time Charts
Time charts are similar to line graphs but lay out more information and focus more on a time frame of information. This ties into tracking anomalies, unhealthy trends, and more. This also ties into time brushing in the advanced section. Similar to regular graphs, the query option must be chosen. This time around, the query will need a ‘bin’ operator. The bin operator will take a variable and a time scale value and create a series based on the data.
An example would be ‘summarize count() by ProviderName, bin(TimeGenerated, 1d)'. This is taking a count of ProviderName from the query results and generating a time series that will show the amount of results per day.
SecurityAlert
| where TimeGenerated >= ago(30d)
| summarize count() by ProviderName, bin(TimeGenerated, 1d)
| render timechart
Tabs
Tabs are headers within the Workbook that can be selected in order to change what is being presented on the page. This is very useful when making a Workbook that might cover several topics or if there is a large amount of information to present.
To deploy a tab:
Groups
Groups allow users to set tiles, graphs, and other data into collections based on topic, format, and more. The best use for groups is distinguishing data types or topics from each other and separating them. This can be maximized by using tabs to separate each group into different tabs.
To deploy a group:
Time Brushing
Time brushing is the ability to click and drag on a time chart to set a time window that should be investigated. By using time brushing, tiles and logs that follow the time chart can inherit the time range chosen to narrow down associated information.
To set up time brushing:
Hives
Hives utilize a new visual feature that is in preview within Workbooks. Hives allow you to use a graphical interface that can be moved or modified while presenting data in a compact, hive layout. This new graphing feature, outside of hives, allows for a more interactive graphing/mapping functionality.
To deploy hives:
Dynamic Content
Dynamic content allows you to export a selected variable to other parts of the Workbook. An example of this is selecting one machine from a list of machines and the other logs and charts throughout the Workbook now pertain to data for only that one machine. This is useful for narrowing down potentially compromised machines or machines of interest for anomalies.
To configure dynamic content:
*Set up the variable to take on a value*
SecurityAlert
| extend Resource = ResourceId
| summarize count() by Resource
| sort by count_ desc
*Set up a variable to inherit the exported value of the selected object*
let Resource_ = dynamic({Resource});
SecurityAlert
| where ResourceId contains tostring(Resource_)
| project TimeGenerated, Resource_, AlertName, AlertSeverity, ProductName
Personalization:
Personalization allows users to modify the results and look of grids and charts to suit their use cases, as well as improve the Workbook experience. An example of a Workbook personalization would be to add color coding for severity of alerts in grids or charts (i.e. red for high severity, green for low severity), or changing a URL link from text to being a clickable URL.
To personalize a Workbook:
Power BI
An alternative to using Azure Sentinel workbooks is to use Power BI. This is Microsoft service that allows you to export queries and results from Log Analytics to Power BI for reporting purposes. You may already be using Power BI for reporting in other parts of your business, as it supports reporting from a wide number of sources.
To use Power BI, it must be done from the Log Analytics workspace:
What’s next?
We have prepared a sample Workbook that displays each item that was covered in this blog. The purpose of this Workbook is to assist users in seeing examples of each item, how they are configured, and how they operate. The goal is for users to use this Workbook to learn and practice advanced topics with Workbooks that will contribute to new custom Workbooks.
To deploy the template:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.