A great way to make sense of large volumes of data is to create graphic visualizations that make it easier for users or consumers of the data to understand what the data is telling them. Graphics can
Make spotting trends easier
Identify or clarify relationships between data elements
Speed the decision-making cycle
Some of the most common data visualizations include time-series analysis (line charts), ranking (bar charts), ratio analysis (pie charts), frequency distribution, geospatial (maps), correlation (scatterplots), and cluster analysis.
Azure Sentinel Workbooks provide interactive reports that can be used to visualize your security and compliance data. Workbooks combine text, queries, and parameters to make it easy for developers to create mature visualizations, and they provide advanced filtering, drill-down capabilities, advanced dashboard navigations, and more. Also, Workbooks allow users of the dashboards to edit and customize the visualizations to meet their needs using simple drop-down menus. To get started with Azure Sentinel Workbooks, follow the steps below:
Open the Azure Portal and sign in as a user who has either contributor or reader permissions on the resource group to which the Azure Sentinel workspace belongs.
In the search pane, type Azure Sentinel and click the Azure Sentinel icon when it appears.
Select the workspace on which Azure Sentinel has been enabled.
In the left navigation pane, click Workbooks > Templates. The Azure Sentinel – Workbooks Templates page appears, as shown in Figure 8-1.
At the time of publication, Azure Sentinel included the following templates:
Azure Activity
Azure AD Audit Logs
Azure AD Sign-in Logs
Azure Firewall
Check Point Software Technologies
Cisco
DNS
Exchange Online
FortiGate
Identity & Access
Linux Machines
Microsoft Cloud App Security – Discovery Logs
Microsoft Web Application Firewall (WAF) – Firewall Events
Microsoft Web Application Firewall (WAF) – Gateway Access Events
Microsoft Web Application Firewall (WAF) – overview
Office 365
Palo Alto Network Threat
Palo Alto overview
SharePoint & OneDrive
Threat Intelligence
VM insights
To leverage a specific Workbook template, you must have at least Workbook reader or Workbook contributor permissions on the resource group of the Azure Sentinel workspace. The Workbooks that you can see in Azure Sentinel are saved within the Azure Sentinel’s workspace resource group and are tagged by the workspace in which they were created. To leverage one of the built-in Workbooks, follow these steps:
Starting from the Azure Sentinel main portal, go to Workbooks and select Templates. You can select each template to determine the required data types that must be connected to use it.
Select the Azure Activity template. As shown in Figure 8-2, the Azure Activity Workbook requires the Azure Activity data type. The green circle with the white checkmark indicates that the data source for Azure Activity logs is connected to Azure Sentinel.
Click the View Workbook button to see the template populated with your data. An example of the Azure Activity Workbook is shown in Figure 8-3. The Workbook includes visualizations for the top active resource groups, activities over time, caller activities, and a time series view of activities by alert level.
At the top of the Azure Activity Workbook are three drop-down menus that allow you to customize the view across three parameters: TimeRange, Caller, and ResourceGroup. You can select any of these to display the drop-down menu and then pick the appropriate option. In Figure 8-4 below, the TimeRange parameter is selected and the available options are displayed. Select one of the displayed options to change the time period of the Azure Activity data being displayed in the Workbook.
You can also edit the built-in Workbooks. To edit the Workbook, return to the previous screen showing the preview blade for the Azure Activity Workbook template (see Figure 8.2 shown earlier). Select Save, select the location where you want to save the template, and click OK. The drop-down menu will include a list of Azure regions in which you can save the template, as shown in Figure 8-5. The Azure Activity Workbook will now appear under the My Workbooks blade.
When you save a Workbook template, an Azure resource is created based on the relevant template, and the template’s JSON file is saved, not the data itself.
Now that the Azure Activity Workbook is saved, you will see a new taskbar included at the top, as shown in Figure 8-6. You now have action menus that allow you to edit, open, save, refresh, and share the Workbook. The last icon allows you to provide feedback about this feature to Microsoft.
Select Edit. Once selected, a new Edit button will appear to the far right of each visualization widget. Select the Edit button at the very top of the Azure Activity Workbook. A new editing window will appear, as shown in Figure 8-7. It lists the current parameters on the top of the Workbook: TimeRange, Caller, and ResourceGroup.
For a simple demonstration, you are going to add a parameter that will allow you to filter the results displayed in the Workbook according to the level of the Azure Activity log event. Review the Azure Activity event log documentation at https://aka.ms/asb/activitylogschema to find the correct log event property to filter upon. Based on the documentation, you will want to summarize the underlying queries based on their Level. The documentation notes that the Level property will contain one of the following values: Critical, Error, Warning, or Informational. Click Add Parameter. A new editing screen will appear. For Parameter Name enter Level and check the Required? and Allow multiple selections boxes. In the Query window, enter AzureActivity | summarize by Level. Click the Run Query button to ensure the query executes as expected. The finished results for the new parameter should look like Figure 8-8.
Click the Save button. Then select the Done Editing button. You should now have a new drop-down menu like the one in Figure 8-9 that allows you to filter the Workbook’s results based on the level of the events.
You can also create your own custom Workbooks if the pre-built templates are insufficient for your needs. You can combine text, analytic queries, Azure metrics, and parameters into highly interactive reports. Follow the steps below to create your own Workbook:
In the Azure Sentinel dashboard, go to Workbooks and then select Add Workbook to create a new Workbook from scratch. You will be taken to the New workbook screen, as shown in Figure 8-10.
To edit the Workbook, select Edit. In the top-right corner, select the Edit button to make changes to the text that was included with the New workbook template. As shown in Figure 8-11, add the following text: Workbook to Visualize changes in the volume and severity of Security Alerts. Click Done Editing.
Now add a pie chart displaying the Security Events that have occurred over the last six months, sorted by severity. To do this, select Edit at the top of the Workbook. Now, scroll to the right of the screen and select the second Edit button. In the Log Analytics Workspace Logs Query section, add the following query:
SecurityAlert | where TimeGenerated >= ago(180d) | summarize Count=count() by AlertSeverity | render piechart
Based on the data in your workspace, your results should look similar to Figure 8-12. Select Done Editing.
Now create a new time chart displaying changes in the number of security alerts by severity over the last year. Add the following query to the Add Query edit window:
SecurityAlert | where TimeGenerated >= ago(365d) | summarize Count=count() by bin(TimeGenerated, 1d), AlertSeverity
From the Visualization drop-down menu, select Time Chart. Select Run Query. The results should be like Figure 8-13. Select Done Editing.
Now that you have created your new Workbook, save the Workbook by pressing the Save icon at the top of the screen. You will then be presented with a set of text boxes and drop-down menus, including Title, Save To, Subscription, Resource Group, and Location. Ensure that you save the new Workbook under the subscription and resource group of your Azure Sentinel workspace. If you want to let others in your organization use the Workbook, select Shared Reports from the Save To menu. If you want this Workbook to be available only to you, select My Reports. Add a meaningful title for your Workbook and then press Save.
For more detailed information on creating custom Workbooks, see https://aka.ms/asb/azureworkbooks.
SOC leaders are often asked to provide metrics and report on their operations to executives and key business partners. Most likely, executives and business partners will not have access to Azure Sentinel; therefore, another method must be leveraged to provide them with the information they need.
Log Analytics provides a native integration with Power BI. You can take any query used in Log Analytics and export it in Power Query language to create a Power BI Dataset. The architecture for exporting Azure Sentinel data in PowerBI is shown in Figure 8-14.
To create visualizations in Power BI with Azure Sentinel data, you need to perform the following steps:
Ensure that you have Power BI Desktop installed on your computer.
Next, create a log query within Azure Sentinel that returns the data that you want to populate a Power BI dataset. To do this, open the Azure Portal and sign in as a user who has either contributor or reader permissions on the resource group to which the Azure Sentinel workspace belongs.
In the search pane, type Azure Sentinel and click the Azure Sentinel icon when it appears.
Select the workspace on which Azure Sentinel has been enabled.
Click Logs in the left navigation pane and enter the query to retrieve the data you want to share. For example, enter the following query to retrieve all Azure Active Directory audit logs for the last six months:
AuditLogs | where TimeGenerated >= ago(120d)
Click Export at the top of the Query window and then select Export To Power BI (M Query), as shown in Figure 8-15. You will be prompted to open or save the Power BI M query. For demonstration purposes, click Open. A Notepad file will open with the M query.
Open Power BI Desktop and click Get Data > Blank Query and then select Advanced Editor as shown in Figure 8-16. Paste the contents from the exported file into the query window. Click Done.
Click Close & Apply. The Azure Sentinel data is now available within Power BI, and you can create custom reports and share those reports with others within your organization. For details on publishing Power BI reports, please review https://aka.ms/asb/exporttopowerbi.
You can also easily export your Azure Sentinel data to Microsoft Excel to create visualizations and share information. You can use this approach if you need to create custom, one-time reports for individuals.
Open the Azure Portal and sign in as a user who has either contributor or reader permissions on the resource group to which the Azure Sentinel workspace belongs.
In the search pane, type Azure Sentinel and click the Azure Sentinel icon when it appears.
Select the workspace in which Azure Sentinel has been enabled.
Select Logs and enter the query to retrieve the data you want to share. For example, enter the following query to retrieve all Security Events that have occurred over the last six months and display the alert name, severity level, and whether it was identified as an incident:
SecurityAlert | where TimeGenerated >= ago(120d) | project AlertName, AlertSeverity, IsIncident
Press Run.
Select Export at the top of the window, as shown previously in Figure 8-15, and select Export To CSV – All Columns.
Now you can open, save, or share the CSV file and work with the data as needed to create additional reports and visualizations.
3.142.43.26