Forum Discussion
Solved
Linking a workbook to an incident/analytics rule
Hi all, I would like to link a custom workbook to an incident raised by an analytics rule. By default the "incident workbook" link is shown on the incident details like this: I would li...
- Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).
You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/
Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.
Hello,
Please see this for the method you need: https://techcommunity.microsoft.com/t5/microsoft-sentinel/where-is-incident-overview-workbook-stored/m-p/3375494
Also see the built-in template Workbook called "Investigation Insights" as that was designed to be stand-alone or a replacement for the default one. It receives the Incident Number passed to it when you open it.
Please see this for the method you need: https://techcommunity.microsoft.com/t5/microsoft-sentinel/where-is-incident-overview-workbook-stored/m-p/3375494
Also see the built-in template Workbook called "Investigation Insights" as that was designed to be stand-alone or a replacement for the default one. It receives the Incident Number passed to it when you open it.
- Hi Clive,
Thanks, much appreciated!
Am I correct that this is a global workbook and that it's not possible to change a workbook for a specific incident?- Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).
You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/
Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.- Thanks!
