Workbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.
Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaceswithin the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents fromseveral Sentinels within the same tenant?
Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
Need guidance in designing a workbook and function app with api keys
My requirement is to have a workbook that calls our product's apis and visualizes the data. The data to be visualized is divided into many widgets about 6-8 in total. Hence, I am thinking of creating a http trigger function app when the workbook is loaded. This function app will be provided the context of our product's url, api key, api secret, org_id as environment variables. These params will be provided by customer who deploys the solution. Then, the function app uses the api key, api secret to make a GET call to the product URL. Note this is an outbound connection to a URL. The api call is to fetch objects from an endpoint, il store this response in a _CL table. But I dont want this table to grow in size with each call to the custom endpoint defined by function app. Instead, I want the row to be updated with new response when workbook is loaded again. I don't know if a custom table is ideal for this or maybe there is a different solution? Do please let me know your opinion.
User location in Security Alerts/Incidents logs
Dear Community, I´ve been struggling to find a way to pull out location information for user in security incidents logs. The idea is to have this details on alerts and incidents to generate dashboards (workbooks) and reports. Would you be able to enlight me with ideas/insights? Thanks in advance for your help.
MultipleSecurityUpdatesMissing, but only one update behind
Hi all, My Windows Updates for Business reports workbook highlights all Windows 11 22H2 devices on version 10.0.22621.2428 as 'MultipleSecurityUpdatesMissing,' despite being just one update behind for the November release. Any insights or ideas on why this might be happening?Run LogicApp from workbook
Hello, Is there a way to run logic app manually from workbook using url or ARM action with passing parameters to that logic app. Update : I tried using ARM Action and configure ARM action path as following /subscriptions/<>/resourceGroups/<>/providers/Microsoft.Logic/workflows/<>/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=****** But got POST Failed Error !
