Jul 21 2021 01:13 PM
Is it possible to run a query on a specific field from a workbook? For example, a workbook query shows SrcIP, DstIP, DstPort and there is a specific DstPort that I want to run a query on. In Splunk you have the ability to right click on a field and do a new search on that field specifically. Is this possible in Sentinel?
Thanks, Joe
Jul 22 2021 12:24 AM
Jul 22 2021 01:45 AM
Please see Application-Insights-Workbooks/Interactivity.md at master · microsoft/Application-Insights-Workbooks... which explains how to click on a row/column to "export parameter" to another query/grid.
Jul 22 2021 05:04 AM
@j0ebeer If you are asking can you do this from a URL, the answer is yes. If you take a look at the URL that gets generated when you go to the Incident Overview workbook from the Incident's detail pane, you will see there is entry called NotebookParams where you will need to send in the Parameter you want and the value (there is also a bunch of hex code that will need to be translated to ensure you are sending it in correctly).
The section I am talking about looks like
/NotebookParams/%7B%22IncidentNumber%22%3A%22616%22%7D
Jul 27 2021 09:51 AM
Jul 27 2021 10:12 AM
Jul 28 2021 12:55 AM - edited Jul 28 2021 01:01 AM
What you cant do, is select a value within a column (so is Port column has 22,80,443, you should add a filter parameter above the grid, where you build the port list dynamically, you can then select that the port from the parameter and show the matching rows. My Public IP workbook does this for ports, using the option group control: https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/PublicIP/PublicIP%20v0.2.3release...
In the Network tab, the grid (below left) will adjust depending in the port you select from the [option group]