In this blog post, I will discuss the efficient monitoring of Microsoft Sentinel workbooks through Dashboard Hub and the creation of customized reports using Power BI.
Microsoft Sentinel provides a variety of pre-built workbooks that are crucial for visualizing data and enhancing operational efficiency. Given the numerous workbooks available in our content hub solution, organizing them into dashboards ensures that stakeholders can easily access data relevant to their specific interests.
At this point, I presume you have determined the workbooks you intend to save and identified which stakeholders require access to specific workbooks for their daily tasks.
Let’s delve into the solution.
You can “Pin” the workbook of your interest in a dashboard. These dashboards can be private or shared.
- A private dashboard can be accessed only by you.
- A shared dashboard is an Azure resource that is saved to a resource group. Role-based access control will determine who has access to the shared dashboard.
Let’s focus on a shared dashboard in our use case.
As you can see below, you can click on “Pin” and select a shared dashboard where you wish to pin the workbook. In case, the shared dashboard is not available then you can simply click on the “Create new” tab where you can create a new shared dashboard which will be hosted in a resource group.
In my case, I’ve a shared dashboard created already for SecOps monitoring.
To access the shared dashboard, you can browse to Dashboard hub > Shared Dashboard. You can pin several workbooks in a shared dashboard. It would make sense configuring Auto refresh interval as desired; since RBAC control determines who can access this dashboard you can define the permissions accordingly.
With this approach, you don’t need to browse to Microsoft Sentinel > Workbooks > Search for a workbook of your interest and then view the data. You can simply pin the relevant workbooks in your dashboard and view those workbooks directly from Dashboard hub.
Let’s take a look at another use case to create Power BI report from Microsoft Sentinel data.
Power BI report can be created with KQL logic. You can create a Power BI report on data from Microsoft Sentinel and share those reports with people who don't have access to Microsoft Sentinel. I'm going to create a Power BI report for checking Syslog table data where I would be interested in the ProcessName column.
Prerequisites:
- At least read access to a Microsoft Sentinel workspace.
- A Power BI account that has read access to your Microsoft Sentinel workspace.
- Power BI desktop app.
Detailed steps as follows:
- Browse to Microsoft Sentinel > Logs
- Write the KQL query as per your requirements and run it; in my case, it’s simple:
Syslog
| summarize count() by ProcessName
- Click on Export > Power BI (as an M query).
- Copy the content of the file.
- Open Power BI desktop and login with user account having minimum read access to Microsoft Sentinel’s workspace.
- In the Home section, click on “Blank report”
- Click on Get Data > Blank query.
- In the Power Query Editor, select Advanced Editor.
- Remove the pre-written contents and paste the content from PowerBIQuery.txt file and click on Done.
- You might get a prompt to authenticate; click on Edit credentials and sign-in.
- Click on Close and Apply.
- Now you can create visualization effects like table, pie chart and more from the visualization option. In my case, I’m using table and donut chart to visualize my data.
- Click on Publish and select a workspace where you wish to publish the report. In my case, I’ve a custom workspace created for SOC Monitoring where I will publish the report.
- After the report is successfully published, you can login to https://powerbi.com/ and select the workspace to find your report. You should be able to access the report.
- To grant access to your workspace, select workspace and click on ellipsis symbol > Workspace access and grant access to people or group.
It’s recommended to schedule auto refresh of the report as well.
- Browse to the workspace, select the report and click on ellipsis > Settings
- Configure refresh schedule
Hope this blog would help you in effectively monitoring your data using Dashboard Hub & Power BI.
Reference Articles
Create new tile for your workbooks: https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data?tabs=azure-portal#create-new-tiles-for-your-workbooks
Create and share dashboards: Create and share dashboards of Azure Log Analytics data - Azure Monitor | Microsoft Learn
Create a Power BI report from Microsoft Sentinel data: Create a Power BI report from Microsoft Sentinel data | Microsoft Learn