Forum Discussion
Open Azure workbook from sentinel incident using sentinel playbooks
I would like to open one of our custom made workbook from within Sentinel Incidents and get automatically populated with entities from the incident. So far, I have been able to create a playbook that can be run from the incident on-demand and extracts entities from the incident, but I don't know how to open a workbook whose parameters get populated with these extracted entities. Keeping in mind the parameters used in the workbook are multi-value.
Any help would be appreciated.
Thank you.
- BillClarksonAntillIron Contributor
So to update a workbook it looks possible through the Application Insights API
See documentation below
Workbooks - REST API (Azure Application Insights) | Microsoft Learn
Workbooks - Update - REST API (Azure Application Insights) | Microsoft Learn
- Christian_BartschBrass ContributorI ended up creating my own incident workbook where I can paste the incident number manually into a textfield parameter and it then unfolds queries based on the incident‘s entities. For accounts, it shows logins, previous alerts, audit logs, email activity etc. and for IP addresses logins, alerts, in-query reputation checkups from third party providers etc..
But if you want to directly navigate from the incident to that workbook, I see no way to implement that linking into the incident view or incident actions.- Clive_WatsonBronze Contributor
You can using the "Incident Overview" Workbook. You can make any change you like (even totally replacing it - easiest to do in the advanced editor, and paste over the JSON file), you just have to keep the NAME the same.
I regularly replace with "Investigation Insights" (which also picks up the Incident Number, as does Incident Overview for you), and allow you to drill down by clicking the returned data: Announcing the Investigation Insights Workbook - Microsoft Community Hub
Instructions you see when you EDIT "Incident Overview":The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:
- General information
- Entity data
- Triage time (time between incident creation and first response)
- Mitigation time (time between incident creation and closing)
- Comments
- Remediation information from the Alerts or from a Watchlist - setup readme: https://github.com/Azure/Azure-Sentinel/wiki/SOC-Process-Framework
Customize this workbook by saving and editing it. You can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.
- Christian_BartschBrass ContributorThats a great idea, thank you Clive!