SOLVED

Linking a workbook to an incident/analytics rule

Copper Contributor

Hi all,

 

I would like to link a custom workbook to an incident raised by an analytics rule. By default the "incident workbook" link is shown on the incident details like this:

 

Vernster_0-1662814608466.png

I would like to add another workbook to speed up investigation. As a bonus it would be great if the entities could be passed over to this workbook.


I'm not sure if this is possible, I couldn't find any information about it. Any help would be appreciated.


Thanks!

 

4 Replies
Hello,

Please see this for the method you need: https://techcommunity.microsoft.com/t5/microsoft-sentinel/where-is-incident-overview-workbook-stored...

Also see the built-in template Workbook called "Investigation Insights" as that was designed to be stand-alone or a replacement for the default one. It receives the Incident Number passed to it when you open it.

Hi Clive,

Thanks, much appreciated!

Am I correct that this is a global workbook and that it's not possible to change a workbook for a specific incident?
best response confirmed by Vernster (Copper Contributor)
Solution
Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).

You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/

Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.
1 best response

Accepted Solutions
best response confirmed by Vernster (Copper Contributor)
Solution
Correct - the name stays the same, but you can change the entire content, but if you do it will be overwritten if Microsoft make a change (and you accept the update).

You can also link a workbook from a workbook, see https://garybushey.com/2022/05/28/mimic-drilldown-in-a-microsoft-sentinel-workbook-part-ii/

Maybe you can have a control in the Workbook light up when your specific Incident is seen, and it suggests you launch the specific linked workbook, or just to open a specific Tab. Or use "make this item conditionally visible" to show extra data only when the right incident is detected.

View solution in original post