Open Azure workbook from sentinel incident using sentinel playbooks

arshdeepk · ‎Jun 16 2023

I would like to open one of our custom made workbook from within Sentinel Incidents and get automatically populated with entities from the incident. So far, I have been able to create a playbook that can be run from the incident on-demand and extracts entities from the incident, but I don't know how to open a workbook whose parameters get populated with these extracted entities. Keeping in mind the parameters used in the workbook are multi-value.

Any help would be appreciated.

Thank you.

BillClarksonAntill · ‎Sep 15 2023

@arshdeepk

So to update a workbook it looks possible through the Application Insights API

See documentation below

Workbooks - REST API (Azure Application Insights) | Microsoft Learn

Workbooks - Update - REST API (Azure Application Insights) | Microsoft Learn

Christian_Bartsch · ‎Sep 17 2023

I ended up creating my own incident workbook where I can paste the incident number manually into a textfield parameter and it then unfolds queries based on the incident‘s entities. For accounts, it shows logins, previous alerts, audit logs, email activity etc. and for IP addresses logins, alerts, in-query reputation checkups from third party providers etc..

But if you want to directly navigate from the incident to that workbook, I see no way to implement that linking into the incident view or incident actions.

Clive_Watson · ‎Sep 18 2023

@Christian_Bartsch

You can using the "Incident Overview" Workbook. You can make any change you like (even totally replacing it - easiest to do in the advanced editor, and paste over the JSON file), you just have to keep the NAME the same.
I regularly replace with "Investigation Insights" (which also picks up the Incident Number, as does Incident Overview for you), and allow you to drill down by clicking the returned data: Announcing the Investigation Insights Workbook - Microsoft Community Hub

Instructions you see when you EDIT "Incident Overview":

The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:

General information
Entity data
Triage time (time between incident creation and first response)
Mitigation time (time between incident creation and closing)
Comments
Remediation information from the Alerts or from a Watchlist - setup readme: https://github.com/Azure/Azure-Sentinel/wiki/SOC-Process-Framework

Customize this workbook by saving and editing it. You can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.

Christian_Bartsch · ‎Sep 18 2023

Thats a great idea, thank you Clive!

Open Azure workbook from sentinel incident using sentinel playbooks

Open Azure workbook from sentinel incident using sentinel playbooks

Re: Open Azure workbook from sentinel incident using sentinel playbooks

Re: Open Azure workbook from sentinel incident using sentinel playbooks

Re: Open Azure workbook from sentinel incident using sentinel playbooks

Re: Open Azure workbook from sentinel incident using sentinel playbooks

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Open Azure workbook from sentinel incident using sentinel playbooks