Workbook link to run query

Occasional Contributor

Is it possible to run a query on a specific field from a workbook?  For example, a workbook query shows SrcIP, DstIP, DstPort and there is a specific DstPort that I want to run a query on.  In Splunk you have the ability to right click on a field and do a new search on that field specifically.  Is this possible in Sentinel?

 

Thanks, Joe

6 Replies
I think it depends on how you create a workbook.
for example, If you use "Azure AD Audit logs" workbook. when you click on the specific user activity other components of the workbook will pivot to the selection.

I would use KQL to filter any data if I need it..

@msraj 

 

Please see Application-Insights-Workbooks/Interactivity.md at master · microsoft/Application-Insights-Workbooks... which explains how to click on a row/column to "export parameter" to another query/grid.

@j0ebeer If you are asking can you do this from a URL, the answer is yes.  If you take a look at the URL that gets generated when you go to the Incident Overview workbook from the Incident's detail pane, you will see there is entry called NotebookParams where you will need to send in the Parameter you want and the value (there is also a bunch of hex code that will need to be translated to ensure you are sending it in correctly).

 

The section I am talking about looks like

/NotebookParams/%7B%22IncidentNumber%22%3A%22616%22%7D

 

Thanks for the replies but not sure they answer what I'm looking for. In the Workbook is the grid showing various fields of a log. Src/Dst/Port/etc. I'm looking to see if possible to click on a selected field and the have a new query run in the Logs section of Sentinel? For example I have 3 logs showing the same src & dst but with 3 different ports (22, 80, 443), what I want to do is click on the 22 and open a new search in the Logs view that starts a search for port = 22. That way I can see what other logs may have used port 22 beyond what the workbook query is showing.
In that case, what Clive wrote will work. If you know it will only be those 3 ports for example, you can add them to a parameter list and then when a user selects one of those, the query will be run with the selected value. Again, the URL that Clive listed will be the best place to start.

What you cant do, is select a value within a column (so is Port column has 22,80,443, you should add a filter parameter above the grid, where you build the port list dynamically, you can then select that the port from the parameter and show the matching rows. My Public IP workbook does this for ports, using the option group control: https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/PublicIP/PublicIP%20v0.2.3release...

In the Network tab, the grid (below left) will adjust depending in the port you select from the [option group]