Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -

 



Azure Sentinel Workbooks

Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates.

Workbook Page

You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the:
  • Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page.
  • Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab. 

From the Templates page, you can select any existing workbook to display a details pane for it, which contains additional information for the templates and it also contains information about the required data types and data connectors that must be connected to Azure Sentinel. The display of the reports can also be reviewed here.

Explore Saved Workbooks

From the Templates page, you can save a workbook from existing templates by selecting one of the templates, and then selecting Save. The saved workbooks are available on the My Workbooks tab, which can be further customized. Edit option can also be selected to open the workbook in the edit mode, where addition or removal of items can be done providing the additional customization. When you switch to the editing mode, you'll notice several Edit options, which corresponds to each individual aspect of your workbook. If you select one of these edit options, you can examine the query that Azure Sentinel uses to filter the data from the corresponding log.

When the settings icon is selected, the Settings page opens, where you can provide the additional resources that you want to use in the workbook while also rearranging the placement of different tables in the workbook by selecting Show Pin Options. 

For advanced customization, Advanced Editor can be selected to open the JSON representation of the current workbook, and then further customize it in the text editor. Your changes can be saved in the existing workbook or you can also save them as another workbook. When you are done with all the customization, you can exit the edit mode by selecting Done Editing.

Explore Azure Sentinel repository on GitHub  

The Azure Sentinel repository is known for its out-of-the-box detections, exploration queries, hunting queries, workbooks, playbooks, and much more to help you secure your environment as well as detect threats. Microsoft and the Azure Sentinel community readily contributes to this repository.

The repository contains folders with contributed content for several areas of Azure Sentinel functionality, including detection queries. The code from these queries can also be used to create custom queries in your Azure Sentinel workspace.

Create a New Azure Sentinel Workbook

Besides using the built-in templates to create a customized workbook, custom workbooks can also be created from the beginning to produce highly interactive reports that contains, texts, analytic queries, metrics, and parameters.

Create a custom workbook

You can easily create a custom workbook by simply selecting +Add workbook on the header bar from the workbooks page in Azure Sentinel after which the New workbook page opens, which contains a basic analytics query to get you started. 

Tip- Each workbook that you create is saved as a workbook resource in the Azure Sentinel resource group.

Each workbook offers a rich set of capabilities for visualizing the security data collected from the connectors. You can also design your workbook with the following visualization types and elements:    

  • Text
  • Query
  • Parameters
  • Links/Tabs
  • Metric 

A new element can also be added to your workbook by selecting +Add.

Text Visualizations

Text blocks can be used to interpret your security data, section headings, telemetry data, and the other information. The text can be edited by using the Markdown markup language, which provides different formatting options for heading, font styles, hyperlinks, and tables.

Note- Markdown is a markup language that you can use to format text in plain-text documents. 

After the addition of the text, you can select the Preview tab to preview how your content will appear and finally when you complete editing the text, you can simply select the Done Editing option.

Query item

Different queries can be selected from the logos and the data can be visualized text, charts, or grids. You write the query using KQL, and then format the data using various visualizations including:
  • Grids (or tables)
  • Area charts
  • Bar charts
  • Line charts
  • Pie charts
  • Scatter charts
  • Time charts
  • Tiles

 On the header bar, several fields are offered to provide you the options to tune the output of the query:

Name

Description

Run Query

Use this option to test the result of the query.

Samples

Microsoft provides sample code that contains sample queries that you can add to the workbook.

Data Source

Use this option to specify the data source for the query.

Resource Type

Use this option to select the type of resource.

Log Analytics workspace

Use this option if you want to query data against more than one resource.

Time Range

Use this option to specify a time range parameter to use in the query.

Visualization

Use this option to choose a specific visualization or choose Set by Query to present the data in a different format.

Size

Use this option to choose the size of the visualization element.

Color Palette

Use this option to choose specific series colors in chart settings.

After you are done customizing the settings and styles, you have to remember to save the step by selecting Done Editing.

Chart visualizations

When you create a query to present the security data as charts, you can customize:
  • Height
  • Width
  • Color Palette
  • Legend
  • Tiles
  • Axis types and series

Parameters

Parameters can be used in your interactive workbook to manipulate the results of the query in different ways. The following parameter types can be created:
  • Text- You can enter arbitrary text.
  • Drop-down- You can modify the appearance of a query step to include a drop-down menu, in which you can select a value from a set of values. In this parameter type you can enter a KQL query or a JSON string to provide the choices for the drop-down list.
  • Options group- You can group multiple properties into group.
  • Time range picker- You can select from prepopulated time ranges or select a custom range.
  • Resource picker- You can select one or more Azure resources.
  • You can select one or more subscription resources.
  • Resource type- You can select one or more Azure resource type values.
  • You can select one or more Azure location values. 

The variables can be reviewed on the Previews section on the New Parameter page that will be displayed and used in the query code. 

Links/Tabs

Links/tabs can be added to customize the navigation in the workbook with tabs, lists, paragraphs, or bullet list. You can also provide the following inputs while adding a new links/tabs step:
  • Text before link- Use this option to display the text before the link is selected.
  • Link text- Use this option to specify the actual text that is displayed in the link.
  • Text after link- Use this option to indicate the text that is displayed after the link is selected.
  • Action- Use this option to specify the action that will be performed when you select the link such as Url, Set a parameter value, and Scroll to a step.
  • Value- Use this option to indicate a value for the link.
  • Settings- Use this option to configure specific settings based on the link type, and support parameter syntax.
  • Context- Use this option to open a new context panel to the side instead of a full view.
  • Style- Use this option to select between Link, Button (primary), Button (secondary) style. 

A new tab can also be added by simply selecting TABS from the Style drop-down menu on the header bar.

Metric steps

Metric steps are used to combine the results of the workbook with metric from different Azure resources. After you are done making all your custom modifications to your workbook, you should save the workbook by selecting Done Editing.

Comments

Post a Comment

Popular posts from this blog

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more