Azure Sentinel Workbooks

Azure Sentinel Workbooks provide interactive reports that can be used to visualize your security and compliance data. Workbooks combine text, queries, and parameters to make it easy for developers to create mature visualizations, and they provide advanced filtering, drill-down capabilities, advanced dashboard navigations, and more. Also, Workbooks allow users of the dashboards to edit and customize the visualizations to meet their needs using simple drop-down menus. To get started with Azure Sentinel Workbooks, follow the steps below:

1. Open the Azure Portal and sign in as a user who has either contributor or reader permissions on the resource group to which the Azure Sentinel workspace belongs.

2. In the search pane, type Azure Sentinel and click the Azure Sentinel icon when it appears.

3. Select the workspace on which Azure Sentinel has been enabled.

4. In the left navigation pane, click Workbooks > Templates. The Azure Sentinel – Workbooks Templates page appears, as shown in Figure 8-1.

At the time of publication, Azure Sentinel included the following templates:

• Azure Activity

• Azure AD Audit Logs

• Azure AD Sign-in Logs

• Azure Firewall

• Check Point Software Technologies

• Cisco

• DNS

• Exchange Online

• FortiGate

• Identity & Access

• Linux Machines

• Microsoft Cloud App Security – Discovery Logs

• Microsoft Web Application Firewall (WAF) – Firewall Events

• Microsoft Web Application Firewall (WAF) – Gateway Access Events

• Microsoft Web Application Firewall (WAF) – overview

• Office 365

• Palo Alto Network Threat

• Palo Alto overview

• SharePoint & OneDrive

• Threat Intelligence

• VM insights

Using built-in Workbooks

To leverage a specific Workbook template, you must have at least Workbook reader or Workbook contributor permissions on the resource group of the Azure Sentinel workspace. The Workbooks that you can see in Azure Sentinel are saved within the Azure Sentinel’s workspace resource group and are tagged by the workspace in which they were created. To leverage one of the built-in Workbooks, follow these steps:

1. Starting from the Azure Sentinel main portal, go to Workbooks and select Templates. You can select each template to determine the required data types that must be connected to use it.

2. Select the Azure Activity template. As shown in Figure 8-2, the Azure Activity Workbook requires the Azure Activity data type. The green circle with the white checkmark indicates that the data source for Azure Activity logs is connected to Azure Sentinel.

   

3. Click the View Workbook button to see the template populated with your data. An example of the Azure Activity Workbook is shown in Figure 8-3. The Workbook includes visualizations for the top active resource groups, activities over time, caller activities, and a time series view of activities by alert level.

   

4. At the top of the Azure Activity Workbook are three drop-down menus that allow you to customize the view across three parameters: TimeRange, Caller, and ResourceGroup. You can select any of these to display the drop-down menu and then pick the appropriate option. In Figure 8-4 below, the TimeRange parameter is selected and the available options are displayed. Select one of the displayed options to change the time period of the Azure Activity data being displayed in the Workbook.

5. You can also edit the built-in Workbooks. To edit the Workbook, return to the previous screen showing the preview blade for the Azure Activity Workbook template (see Figure 8.2 shown earlier). Select Save, select the location where you want to save the template, and click OK. The drop-down menu will include a list of Azure regions in which you can save the template, as shown in Figure 8-5. The Azure Activity Workbook will now appear under the My Workbooks blade.

   Note

   When you save a Workbook template, an Azure resource is created based on the relevant template, and the template’s JSON file is saved, not the data itself.

   

   

6. Now that the Azure Activity Workbook is saved, you will see a new taskbar included at the top, as shown in Figure 8-6. You now have action menus that allow you to edit, open, save, refresh, and share the Workbook. The last icon allows you to provide feedback about this feature to Microsoft.

   

7. Select Edit. Once selected, a new Edit button will appear to the far right of each visualization widget. Select the Edit button at the very top of the Azure Activity Workbook. A new editing window will appear, as shown in Figure 8-7. It lists the current parameters on the top of the Workbook: TimeRange, Caller, and ResourceGroup.

   

8. For a simple demonstration, you are going to add a parameter that will allow you to filter the results displayed in the Workbook according to the level of the Azure Activity log event. Review the Azure Activity event log documentation at https://aka.ms/asb/activitylogschema to find the correct log event property to filter upon. Based on the documentation, you will want to summarize the underlying queries based on their Level. The documentation notes that the Level property will contain one of the following values: Critical, Error, Warning, or Informational. Click Add Parameter. A new editing screen will appear. For Parameter Name enter Level and check the Required? and Allow multiple selections boxes. In the Query window, enter AzureActivity | summarize by Level. Click the Run Query button to ensure the query executes as expected. The finished results for the new parameter should look like Figure 8-8.

9. Click the Save button. Then select the Done Editing button. You should now have a new drop-down menu like the one in Figure 8-9 that allows you to filter the Workbook’s results based on the level of the events.

   

   

Creating custom Workbooks

You can also create your own custom Workbooks if the pre-built templates are insufficient for your needs. You can combine text, analytic queries, Azure metrics, and parameters into highly interactive reports. Follow the steps below to create your own Workbook:

1. In the Azure Sentinel dashboard, go to Workbooks and then select Add Workbook to create a new Workbook from scratch. You will be taken to the New workbook screen, as shown in Figure 8-10.

   

2. To edit the Workbook, select Edit. In the top-right corner, select the Edit button to make changes to the text that was included with the New workbook template. As shown in Figure 8-11, add the following text: Workbook to Visualize changes in the volume and severity of Security Alerts. Click Done Editing.

   

3. Now add a pie chart displaying the Security Events that have occurred over the last six months, sorted by severity. To do this, select Edit at the top of the Workbook. Now, scroll to the right of the screen and select the second Edit button. In the Log Analytics Workspace Logs Query section, add the following query:

   Click here to view code image

   SecurityAlert
   | where TimeGenerated >= ago(180d)
   | summarize Count=count() by AlertSeverity
   | render piechart

   Based on the data in your workspace, your results should look similar to Figure 8-12. Select Done Editing.

   

4. Now create a new time chart displaying changes in the number of security alerts by severity over the last year. Add the following query to the Add Query edit window:

   Click here to view code image

   SecurityAlert
   | where TimeGenerated >= ago(365d)
   | summarize Count=count() by bin(TimeGenerated, 1d), AlertSeverity

   From the Visualization drop-down menu, select Time Chart. Select Run Query. The results should be like Figure 8-13. Select Done Editing.

   

5. Now that you have created your new Workbook, save the Workbook by pressing the Save icon at the top of the screen. You will then be presented with a set of text boxes and drop-down menus, including Title, Save To, Subscription, Resource Group, and Location. Ensure that you save the new Workbook under the subscription and resource group of your Azure Sentinel workspace. If you want to let others in your organization use the Workbook, select Shared Reports from the Save To menu. If you want this Workbook to be available only to you, select My Reports. Add a meaningful title for your Workbook and then press Save.

Creating visualizations in PowerBI and Excel

SOC leaders are often asked to provide metrics and report on their operations to executives and key business partners. Most likely, executives and business partners will not have access to Azure Sentinel; therefore, another method must be leveraged to provide them with the information they need.

Creating visualizations in Power BI

Log Analytics provides a native integration with Power BI. You can take any query used in Log Analytics and export it in Power Query language to create a Power BI Dataset. The architecture for exporting Azure Sentinel data in PowerBI is shown in Figure 8-14.

To create visualizations in Power BI with Azure Sentinel data, you need to perform the following steps:

1. Ensure that you have Power BI Desktop installed on your computer.

2. Next, create a log query within Azure Sentinel that returns the data that you want to populate a Power BI dataset. To do this, open the Azure Portal and sign in as a user who has either contributor or reader permissions on the resource group to which the Azure Sentinel workspace belongs.

3. In the search pane, type Azure Sentinel and click the Azure Sentinel icon when it appears.

4. Select the workspace on which Azure Sentinel has been enabled.

5. Click Logs in the left navigation pane and enter the query to retrieve the data you want to share. For example, enter the following query to retrieve all Azure Active Directory audit logs for the last six months:

   Click here to view code image

   AuditLogs
   | where TimeGenerated >= ago(120d)

6. Click Export at the top of the Query window and then select Export To Power BI (M Query), as shown in Figure 8-15. You will be prompted to open or save the Power BI M query. For demonstration purposes, click Open. A Notepad file will open with the M query.

   

   Open Power BI Desktop and click Get Data > Blank Query and then select Advanced Editor as shown in Figure 8-16. Paste the contents from the exported file into the query window. Click Done.

   

7. Click Close & Apply. The Azure Sentinel data is now available within Power BI, and you can create custom reports and share those reports with others within your organization. For details on publishing Power BI reports, please review https://aka.ms/asb/exporttopowerbi.