Jun 16 2023 11:16 AM
I would like to open one of our custom made workbook from within Sentinel Incidents and get automatically populated with entities from the incident. So far, I have been able to create a playbook that can be run from the incident on-demand and extracts entities from the incident, but I don't know how to open a workbook whose parameters get populated with these extracted entities. Keeping in mind the parameters used in the workbook are multi-value.
Any help would be appreciated.
Thank you.
Sep 15 2023 08:03 PM
So to update a workbook it looks possible through the Application Insights API
See documentation below
Workbooks - REST API (Azure Application Insights) | Microsoft Learn
Workbooks - Update - REST API (Azure Application Insights) | Microsoft Learn
Sep 17 2023 03:24 PM
Sep 18 2023 02:21 AM
You can using the "Incident Overview" Workbook. You can make any change you like (even totally replacing it - easiest to do in the advanced editor, and paste over the JSON file), you just have to keep the NAME the same.
I regularly replace with "Investigation Insights" (which also picks up the Incident Number, as does Incident Overview for you), and allow you to drill down by clicking the returned data: Announcing the Investigation Insights Workbook - Microsoft Community Hub
Instructions you see when you EDIT "Incident Overview":
The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:
Customize this workbook by saving and editing it. You can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.
Sep 18 2023 03:48 AM