Azure Sentinel workbooks are a way to create and show customizable and interactive reports that can display graphs, charts, and tables. Information can be presented from Log Analytics workspaces using the same Kusto Query Language (KQL) queries that you already know how to use. These workbooks are based on the workbook technology that has been in use with other Azure resources, including Azure Monitor and Log Analytics workspaces.
Azure Sentinel provides a number of templates that are ready for use. You can use these templates to create your own workbook that can then be modified as needed. Most of the data connectors that are used to ingest data come with their own workbooks, to allow you better insight into the data that is being ingested through the use of tables and visualizations, including bar and pie charts. You can also make your own workbooks from scratch, if required.
In this chapter, you will learn the following topics:
Note
You may come across old documentation and websites that discuss Azure Sentinel dashboards. Dashboards were replaced with workbooks to provide a more interactive user experience.
To go to the Workbooks page, select Workbooks from the Azure Sentinel navigation blade. A new screen will appear that will look similar to the one shown in the following screenshot:
The header at the top of the page in the preceding screenshot shows the Refresh and Add workbook buttons. Adding a new workbook will be discussed in the Adding a new workbook from scratch section.
Let's discuss the different components of the Workbooks page in detail in the following sections.
Under the Refresh and Add workbook buttons is the total number of workbooks that have been saved. The number 9 in the following screenshot will include all the workbooks that have been saved, whether they are saved as a personal or as a shared workbook. So, this number can be different, depending on who is accessing the page:
To the right of that is the total number of templates available to use. This number may change as new workbook templates are added.
On the far-right side is the total number of templates that can be updated. As new versions of the templates are added, this number will increment to inform you of this fact. The actual template that can be updated will have an icon to let you know it has an update.
Note
Note that this will update the template only. It will not update any saved versions of the workbook based on the template.
Let's take a look at the Templates view.
Below the workbook header are two tabs, My workbooks and Templates, as shown in the following screenshot. The My workbooks tab will show all the workbooks to which the user has access, including those that are shared and personal. The Templates tab shows all the templates that are available to be used:
No matter which tab you select, each template or report will be shown on a single row. On the far left will be a green bar, indicating that this template has been saved previously and can be viewed under My workbooks. If you are looking at the My workbooks tab, then every report will have a green bar since every report is available to view. After that is an icon representing the company that created the template, followed by the template name, and the name of the company under this.
Looking at the first template listed in the preceding screenshot, you can see the icon for Amazon Web Services (AWS). This is followed by the template name, AWS Network Activities, with the company that created it, MICROSOFT, under the template name.
Selecting a workbook will show its information in the details window on the far-right side of the Workbooks page, as shown in the following screenshot:
This window will again show the icon, name, and company name at the top of the screen. Under that is a detailed description of the workbook.
Below the workbook detail view is the list of required data types. This will list one or more data types that are needed for this workbook to function correctly. If your environment has the required data source, a green checkbox icon will show, but if it does not, then a cross check icon will show in its place, as shown in the following screenshot:
Unlike the Analytics query templates discussed in Chapter 7, Creating Analytic Rules, you can create a workbook from a template, even if you do not have the required data types. The only thing that will happen is that no information will be shown in the workbook, and there may be an error.
Below the Required data types field is the relevant data connectors that show which data connector(s) are used to ingest the needed data.
Scrolling down in the details pane will show one or more reports that represent how the report will look. This can be very useful to see what the workbook would look like, especially if you do not have the requisite data source populated yet, and an example of this can be seen in the following screenshot:
Clicking on the left and right arrows will switch the displayed report if there is more than one available.
At the bottom of the screen are a series of buttons that change depending on whether you have saved the template or not. Figure 8.6 in the preceding section shows the buttons for a template that has not been used to create a workbook, and the following screenshot shows the buttons for a template that has been saved:
Let's discuss each of these buttons in detail:
The My workbooks tab will show the same information as the Templates tab, except that it will only show those workbooks that have been saved from a template or created from scratch. Also, at the bottom of the detailed description window, the buttons have changed.
If you have created a workbook from scratch, without creating it from an existing template, then the buttons will be shown as in the following screenshot. Since there is no template to view, the View template button will not be shown:
You now have a good understanding of the workbook's overview page. You know how to look at a workbook template, determine whether you have the needed data sources, and create a new workbook using a template. Next, we will look at an existing workbook to give you an idea of what you can do with workbooks.
We are going to take a look at an existing template that has most of the features available to workbooks. This may give you an idea of what you can do with your workbooks, or at least show you how to set up a workbook to do what you want.
The Azure Active Directory (Azure AD) Sign-in logs template has a wide variety of charts and graphs in it. In addition, it shows how to allow users to change parameters, and it shows how you can make columns in a table and display information in a more graphical way.
If you do not have the SigninLogs data type available, which the Azure AD Sign-in logs workbook uses to get its information, it is recommended that the Azure AD connector be enabled for your Azure Sentinel instance. Refer back to Chapter 3, Data Collection and Management, for guidance on how to do this. If you cannot get this connector activated, for whatever reason, you can follow along in the book. However, you will have a better experience if you can look at the workbook yourself.
Select the Azure AD Sign-in logs template and click the View template button. If you have created a workbook from this template, you can click the View saved workbook button. It will make no difference in this case. You will see a screen similar to the following. It is expected that the values are different, and some of the columns may not display the same graphics, as in the following screenshot:
A workbook is made up of small sections called steps. Each step has a unique name that can be pretty much anything, and this name can be referenced in other steps. Each step can run on its own, although some may require parameters either from a parameter step, as with the one discussed later, or from other steps.
The header at the top of the page does not concern us at this point. It will be explained in the Editing a workbook section later in this chapter. Notice that the page has a title called Sign-in Analysis. This is an example of straight text being shown.
Beneath that are some parameters that allow you to change what the workbook is looking at—in this case, TimeRange, Apps, and Users can be changed. In this way, the user can either select to look at the entire report, or narrow it down to a specific date, app, and user, or anything in between.
Under that is the first example of a query section. This is using a KQL query to obtain the data, and then displaying it in different ways. In this case, the information is being displayed as tiles; one tile per column is returned.
Below that is another example of a query section. In this case, the information is being displayed as a table, but individual columns have been modified to show graphical information, which others show as straight text. If you look at the second column from the left, it is showing a heatmap along with the textual value. The third column, called Trend, is showing a sparkle line instead of the text values.
Another interesting thing to note about these query sections is that they are shown side by side. Normally, when a new query is added to a workbook page, it is set to take up the entire width of the page. This can be modified so that the individual queries take up as much or as little width as desired. If another query can fit beside the first one, it will do so.
Remember that workbooks are interactive, meaning that they can be defined in such a way so that if you click on one value, others can change. In this workbook, if you select a row from the Sign-ins by Location query shown in the preceding screenshot, the Location Sign-in details will be filtered to show only those users who belong to the selected location.
The rest of the workbook's sections are pretty much the same as the ones already discussed. This should give you an idea of what you can do with your workbooks to display relevant information.
Go ahead and look at some of the other workbook templates available to see what else you can do. Remember: you can just click on the template and look at the provided report to get an idea of what the workbook will look like. You will see that you can show bar charts, pie charts, area charts, and more.
Now that you have an idea of what you can do with workbooks, it is time to see how to create your own. There are two ways of doing this:
Either way, we will get a working workbook; however, you may find it easier to create workbooks from templates to begin with, to get a better understanding of how workbooks function and what you can do with them. There is no reason why you cannot create your own workbook, using the queries from a workbook created from a template as the starting point.
In order to be able to create a new workbook, you will need to have the proper rights. Refer to https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions to see the rights that are required to create and edit workbooks.
The following steps show how to create a workbook using a template. This makes it easier to create a new workbook, as you have a basis to start from:
You now know how to create a workbook using a template as the baseline. This is a very easy method to get a workbook created that you can then modify as needed. Next, we will discuss creating a workbook from scratch, without using a template as the baseline.
Creating a workbook from scratch is a bit more complicated. It involves creating the workbook, and then you need to edit it, since the workbook created is already saved with a default query assigned to it. To create a workbook from scratch, perform the following steps:
The relevant field options are discussed in the following table:
Note
It is not actually necessary for you to save the new workbook before you edit it. It is generally recommended that you do so to make sure you have a saved copy of it that you can revert to, should your edits not work correctly.
That is all there is to it. Now, you will need to edit the workbook so that you can edit or remove the existing steps or add your own steps. Refer to the next section, where we will cover more details on what can be done to modify your workbook.
There will be times when you need to edit a workbook. As you saw in the previous section, you need to edit a workbook created from scratch in order to add what you need to it. You can also edit workbooks created from templates to modify them to suit your needs.
If you are not already viewing your workbook, you will need to view it first. If you are already viewing your workbook, you can skip this next step and move directly to the editing portion.
To edit a workbook, perform the following steps:
Note
You cannot edit a workbook template directly. It must be saved first, and then the saved workbook can be edited. If you have created a workbook from scratch, you must go to the My workbooks tab since these workbooks have not been created from a template and only show up there.
At the top of the page will be a header of buttons, shown as follows. The one we care about in this section is the first one on the left, called Edit:
When you click the Edit button, the workbook view will change to edit mode, which will look like the following screenshot:
Each step in the workbook will have its own Edit button so that you can make changes to that individual step. More information on the various types of steps can be found in the Workbook step types section. Note that all the steps will be displayed, even those that have been set to be hidden when viewing the workbook.
The list of buttons in the edit mode header changes is as follows:
The following table briefly describes each button:
If you look at the bottom of the workbook you are editing, you will see a list of links matching the following screenshot. This is how you will add new steps, and each step will be described individually in the Workbook step types section:
Once you have finished making all your changes, click on the Done Editing button in the header bar to revert to the view mode. All the individual edit buttons will disappear, as will any steps, parameters, or columns that have been set to be hidden.
Take a look at your workbook to make sure the edits you just made are working as desired. Once you are satisfied with your changes, click on the Save button to save your changes.
While the workbook's editing graphical user interface (GUI) allows to you completely create and edit an Azure Sentinel workbook, there may be times when you need to tweak a setting directly in the code. You may also wish to get the ARM template, which will allow you to easily reproduce this workbook elsewhere or store it as part of your DevOps process.
In either case, clicking on the Advanced Editor button will allow you to do that. When you click on the button, you will be taken to the Gallery Template view of the advanced editor, as shown in the following screenshot. This view will allow you to directly modify the JSON code. When you are done making the changes, click the Apply button to apply your changes, or the Cancel button to return to the GUI without saving your changes:
Note
Do not modify the JSON code directly unless you are familiar with JSON and what needs to be changed. Any changes made here will apply to the GUI view as well, and if a mistake is made, you could render the workbook unusable.
If you want to see the ARM template that gets generated, click on the ARM Template button. This will switch the view to show you the ARM template that can be used to reproduce this. Copy the code and paste it into another file to use it, to recreate your workbook as needed. The ARM Template view can be seen in the following screenshot:
Tip
The discussion of ARM templates and how to use them is beyond the scope of this book. Go to https://docs.microsoft.com/en-us/azure/templates/ and https://docs.microsoft.com/en-us/azure/azure-monitor/platform/workbooks-automate to learn more about them.
When you are done, click the Cancel button to return to the GUI view.
You have now seen how to edit a workbook using both the GUI and the advanced view, where you can edit the underlying code directly. You have also learned how to copy the JSON code that can be used in an ARM template to recreate this workbook as needed. Next, we will look at managing your existing workbooks.
You have seen how to add a new workbook, and now, you will learn how to manage the ones you have. This will include deleting, moving, and sharing workbooks. As a reminder, go to https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions to make sure you have the proper rights needed to manage workbooks.
As stated earlier, clicking on the Open button when looking at a saved workbook will allow you to manage workbooks. Clicking on it will open the Saved Workbooks blade, which will look similar to the following screenshot:
At the top of the screen is the New button, which will allow you to create a new workbook; the Refresh button, which will refresh this view; and the Save All button, which will save all the changes made. Under that is the Subscription dropdown that will allow you to change the subscription you are looking at, followed by a search box where you can search for specific workbooks.
Below that is a listing of all the workbooks, separated into My reports, which only I can see, and Shared reports, which everyone can see. Clicking on any of the workbooks will change the workbook that you are viewing.
Each workbook will be shown in a separate row. It will display the name, and then an icon that will show whether the workbook has been created from a template, and then a context-sensitive menu. Clicking on the context-sensitive menu icon will show this menu.
This menu will allow you to delete this workbook, rename it, move it to Shared reports (if this workbook is already shared, it will allow you to move it to My reports), share it with others (if it is not a Shared report, you will be asked to make it a Shared report before you can share it), or pin it to a dashboard, which can provide a shortcut to get directly to this workbook. All of this can be seen in the following screenshot:
We have finished looking at how to manage your existing workbooks. You have learned about the Saved Workbooks pane, as well as the context-sensitive menu that will allow you to perform various management tasks on a workbook. Now, it is time to look at the various parts that make up a workbook, and how to use them.
Each workbook is comprised of one or more steps. As stated earlier, a workbook is made up of small sections called steps. Each step has a unique name, which can be pretty much anything, and this name can be referenced in other steps. Each step can run on its own, although some may require parameters, either from a parameter step or from other steps.
There are five different types of steps: text, query, metric, parameters, and links/tabs. Each type of step will be discussed in more detail in the following sections. There will also be a section to discuss the Advanced Settings button, as the various step types have the same advanced settings.
To add a new step when editing a workbook, at the bottom of the screen is a list of links matching those shown in the following screenshot. Click on the appropriate link for the type of step you wish to add:
No matter which link you click, the list will change to look like the following screenshot:
Clicking the Done Editing button will change the selected step to view mode so that you can see how your changes look.
The Go to advanced settings button will take you to the Advanced Settings page. This is discussed more in the Advanced settings section.
The Clone this item button will create a duplicate of the step you are editing. This can be useful if you need to have two steps that are very similar, with only a few changes between them. Rather than having to create the two steps individually, you can create one, click the Clone this item button, and then make the necessary changes on the second one.
The Move Up button will move this step up one in the listing of steps so that it is displayed higher in the page. If there is a step below the one that you are editing, the Move Down button will display to the left of the Move Up button. If this step is at the top of the page, the Move Up button will no longer show.
The Delete button will remove this step. Note that there is no verification that you want to perform this step. Clicking on it will automatically remove this step. It pays to save often, just in case you accidently delete a step you didn't intend to, so that you can revert to a saved version.
Now that you know how to add a step, let's discuss each type in detail.
As you may have guessed from the name, clicking the Add text link will add a step that displays text using the Markdown language. Clicking the link will add a new step with an empty textbox where you can enter your text, as shown in the following screenshot:
Enter the text you want, along with any of the Markdown formatting commands, and then click the Done Editing button to see your changes with the formatting applied.
The Markdown language is a text-based language that is used in many different systems, most notably GitHub. It was developed to allow people to write plaintext documents that contain the same formatting you would see in HTML documents. To see the various formatting commands, go to https://www.markdownguide.org/. Note that not all the Markdown formatting has been tried, so there is no guarantee that all formatting commands will work.
The query step is the mainstay of the workbook. By using KQL queries, you can display data from the logs in various formats, including grids (or tables), area charts, various types of bar charts, line charts, pie charts, scatter charts, time charts, and tiles.
Currently, most of the visualization types are supported, with two of them—graph and map—in preview. Microsoft may make changes from time to time, so please refer to the official workbook docs for up-to-date information. The graph format allows you to show information in a graph view, much like what you see when investigating an incident. Refer to the Investigating an incident section in Chapter 9, Incident Management, to see what this looks like. The map format will show information in a non-interactive map. This means that you cannot adjust the scale to zoom in or out.
After you click on the Add query link, you will see that a new step has been added, which looks as follows:
Let's have a look at the different fields of the header bar:
Most of the entries should be familiar to you already. However, the top one, Set in query, and the bottom one, TimeRange, need some explanation. You may not see the TimeRange value listed, and the reason is explained here.
The Set in query value will read the time span directly from the query itself. If you have a query such as Heartbeat| where TimeGenerated < ago(1d), then because the time is set in the code, any value in the dropdown will be ignored. A best practice in cases such as this is to set the dropdown to the Set in query value so that anyone needing to edit this step can easily tell that the time span is set in the code.
The TimeRange value is added because there is a parameter called TimeRange that is set to be a time-range picker. This is explained more in the Parameters section. If you do not see this value, then you do not have a time-range picker set up as a parameter.
Remember that TimeRange is just the name given to the parameter. It could be called something else in your case. If there is anything listed under the Time Range Pa… header (which is a shortened version of Time Range Parameter), then that can be used too as the time-range value.
Tip
It is a best practice to use a time-range picker parameter in your workbooks as much as possible so that the workbooks can be as flexible as possible.
There is one more button that can show on the header and that is based on the type of visualization selected, and it is used to change the settings of the visualization. The grid, pie chart, tiles, graph, and map each have their own button that is shown to change the settings for that specific visualization.
The book would be far larger if we were to discuss every individual setting for each of these visualizations, so you will need to play around to see what the different settings do. One we will discuss, since it is very useful and is used to create some of the visual representations discussed in the overview of the Azure AD Sign-in logs workbook, is the grid's column renderer.
To see this in action, perform the following steps:
Most of the available entries will not make sense for an Azure Sentinel workbook, but others are useful. Some of the more useful ones are Heatmap and Spark line, which were used in the Azure AD Sign-in logs workbook, as well as Text, Date/Time, Thresholds, Timeline, Icon, and Link (which works like the Link/Tab step type described in the Links/tabs section).
Note
Depending on which one you select, other choices for settings can show up or disappear.
One other useful entry is Hidden. Selecting this will cause the column to not display in the grid. There may be times when you will need to have the column around, but do not want to show it. Set the column's renderer to Hidden for this to happen. It's outside the scope of the book to go into more detail on how to use these different renderers, but take a look at the Azure AD Sign-in logs workbook to get an idea of how to use the Heatmap and Spark line.
Beneath the header bar is the Log Analytics workspace Logs Query area. This is where you enter your KQL query to be run. On the right side of this screen are three icons, as shown here:
The preceding list of buttons is explained as follows:
The area directly under the Log Analytics workspace Logs Query area is where your results will show up. They will be displayed according to the value selected in the Visualization dropdown. Using the Heartbeat query we used earlier, run it, and then change the values in the Visualization dropdown to see how this area changes.
The metric step allows you to view metrics on different Azure resources. This step type is not that useful in regard to Azure Sentinel, so we will not discuss it in this chapter. To get more information on how to use the metric step, refer to https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-workbooks#adding-metrics-sections.
As much as the query step is the mainstay of Azure Sentinel workbooks, they would not be as useful without parameters. A workbook that cannot change any of its inputs may just as well be an image rather than an interactive workbook that you can manipulate to query the results in different ways.
There are two types of parameters: those that get set in a parameter step, which we will discuss here, and those that are populated when an item in a query step is selected, which will be discussed in the Advanced settings section later in this chapter.
When you click the Add parameters link, you will see the following screen:
Once you have parameters entered, they will be displayed in a table, one per row, as shown in the following screenshot. You can select a single checkbox to edit all the settings of an individual parameter. You can also change the Required?, Parameter name, and Display name fields directly from this screen. It will show the Parameter type and Explanation fields, although you cannot edit those fields from this screen. Refer to the Adding a new parameter section for an explanation of these fields:
Click on the Add Parameter button to add a new parameter. When you do, a new pane will open. This is where you will set up your new parameter. Refer to the Adding a new parameter section for more information.
The Style dropdown allows you to change how the parameters are displayed. By default, they are displayed as pills, as shown in the following screenshot.
When you click the Add parameters link, you will see the following. The parameters are displayed in a single line as much as possible. If they cannot fit on one line, then multiple lines will be used:
The other option is Standard, which will display the parameters as follows, with no border around them:
Notice that you do not need to click the Done Editing button to see the changes. The parameters will show right above the button. This will be true even if you change the Parameter name or Display name as well. The header buttons are shown as follows:
The header buttons are further discussed as follows, from left to right:
Now that you have seen how the parameter step works, let's see how to add new parameters. These parameters will allow your users to have a more interactive experience with your workbooks.
In order to add a new parameter, click the Add Parameter button. This will open the New Parameter screen with a description of fields, as shown in the following screenshot:
The different fields of the New Parameter window are described in the following table:
Let's take a look at the different parameter types.
There are seven different parameter types:
Each works differently and can have additional fields show up in the New Parameter pane when selected. For instance, the Text type is very basic and will show a textbox for input, while the Drop down type will show the KQL window so that its values can be populated from a query; there will be a new field asking whether multiple selections can be made.
Note
For those parameter types that have the Include in the drop down field, care must be taken in the KQL query that uses that parameter to account for the case where All is selected. The following code comes from the Azure AD Sign-in logs workbook and uses the Apps parameter. It can filter based on the selection, or can look for all apps:
|where AppDisplayName in ({Apps}) or ‘*’ in ({Apps})
It is the second part, after the or, that allows the code to use the All entry.
That is all the various parameter types that can be selected. Notice that when you change the parameter type, the Previews section will change to show how each type of parameter will look, and this is described next.
The second part of the New Parameter blade, at the bottom of the screen, shows a preview of how the variable will be displayed and how to use the variable in code. The following screenshot shows a parameter with no values filled in:
The last part is very important as it shows how to use the variable in code. This is the Parameter name, not the Display name, surrounded by brackets, { }.
The links/tabs step will allow you to either display links in different formats or tabs. This allows you to open a new website to show more information, show details about a selected cell, or display different tabs.
When you click on the Add links/tabs button, a new step will be added, as follows:
This screen will allow you to add, edit, delete, or change the order of the links that you have added. Keep in mind that as far as workbooks are concerned, tabs are links that are displayed differently.
The Update Links button will update the links with any modifications that have been made during the edit process. The Style dropdown will change how the links will be displayed in a list. The following table shows how the various styles will affect how the links are shown:
The rest of the header buttons are as follows:
The header buttons are discussed as follows, from left to right:
Let's take a look at how to add a new link.
To add a new link, start entering information in the blank row being shown in the listing. The different fields are described as follows:
Now, let's take a look at how to add a new tab in the following section.
When adding a new tab, the Style field in the header needs to be set to Tabs. The only fields that will be shown are Tab Name, Action, Value, Settings, and Context Blade. You cannot set any text to show before or after the tab.
Note
There is no reason why you cannot use any of the other styles to do the same thing as the Tabs entry. The Tabs style is set up to minimize the amount of work needed to create a tab interface, including hiding unneeded fields and changing how the links are displayed to look like a traditional tabbed interface.
The value for the Action field for the tab will be Set a parameter value, as you will be using this value to either show or hide steps to make the tabs work. Enter the name of the parameter in the Value field and the value in the Settings field. It is recommended that you use the same parameter for all the tab entries, just changing the value to designate different tabs to show. This will be used along with the Make this item conditionally visible option in the advanced settings discussed in the following section.
All steps have an Advanced Settings button in the step's footer that shows when the step is being edited. This will allow you to set items, including the step's name and visibility; if it exports parameters; what information to show when in view mode; as well as the step's width and other style settings. Not all step types will show the same fields, although all fields will be discussed here.
When you click the Go to Advanced Settings button, a new window will open up. The screen is broken into two tabs: Settings and Style. Settings is where you set the values that affect how the step will function, and Style is where you set the values that affect how the step will look. Let's have a look at them in the following sections.
This tab is where you set the values that affect how the step will function, including if the step is visible (and when); if the query shows; and if the step can be pinned to a dashboard. The following screenshot was taken from a query step window so it will show all the available fields, with the exception of the metrics step, which has two other fields discussed at the end of this section. Other steps will not have all the same entries:
The different fields from the Settings tab are explained as follows:
This is where you set the condition. You need to enter the Parameter name, the Comparison (equals to or not equals to), and then the Parameter value.
This is the field you will use when working with tabs. Each tab will have the Parameter name set to a different value, so when that tab is selected, the parameter will have a specific value, and that value will determine which step(s) to show.
You can have multiple conditions, and ALL of them must be met for the step to show.
The Field to export is the name of the field from the query that will be used to populate the parameter's value. The Parameter name is the name of the parameter, and the Parameter type is the type of the parameter. For this book, we will always use text that includes integer, date/time, and Boolean values.
You can have multiple parameters exported at the same time. Remember to use the parameter in a query, surrounding the Parameter name with brackets { }.
That is everything you can do using the Settings tab. As you can see, each step in a workbook can be customized considerably. Next, we will look at the style changes you can make.
The Style tab will allow you to change how the step will look when displayed. Unlike the Settings tab, all the fields are present in all the step types, as shown in the following screenshot:
The different fields from the preceding screenshot are explained as follows:
That ends our discussion of the step's advanced settings. As you have seen, these settings allow you to perform many actions, including stating when the step is visible, being able to export variables that other steps in the workbook can use, determining how much of the width of the page the step will take up, and more.
In this chapter, you learned about Azure Sentinel workbooks and how their interactive display is used to show information to users. Workbooks can be used to help determine if there is something in your environment that needs investigation.
You learned how to create and edit a new workbook, using the various step types provided. You learned how to define parameters using a new step, as well as coming from a query, and how to use those parameters to further filter your queries.
They can display a combination of texts, various graphs, metrics, and links including tabs. Using parameters, the workbooks can be made to change what information is presented, to help determine whether there is an incident that needs to be investigated.
Finally, you learned how to change the advanced settings on a step to change how it operates and how it looks. You learned how to get multiple steps to show up on the same row in a graph, and how one graph can communicate with another through parameters.
In the next chapter, you will learn about Azure Sentinel Incidents, which are generated from alerts and other queries, how to manage them, and how to investigate them.
For more information, you can refer to the following links:
3.133.151.220