Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -

 



Azure Sentinel Workbooks

Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates.

Workbook Page

You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the:
  • Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page.
  • Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab. 

From the Templates page, you can select any existing workbook to display a details pane for it, which contains additional information for the templates and it also contains information about the required data types and data connectors that must be connected to Azure Sentinel. The display of the reports can also be reviewed here.

Explore Saved Workbooks

From the Templates page, you can save a workbook from existing templates by selecting one of the templates, and then selecting Save. The saved workbooks are available on the My Workbooks tab, which can be further customized. Edit option can also be selected to open the workbook in the edit mode, where addition or removal of items can be done providing the additional customization. When you switch to the editing mode, you'll notice several Edit options, which corresponds to each individual aspect of your workbook. If you select one of these edit options, you can examine the query that Azure Sentinel uses to filter the data from the corresponding log.

When the settings icon is selected, the Settings page opens, where you can provide the additional resources that you want to use in the workbook while also rearranging the placement of different tables in the workbook by selecting Show Pin Options. 

For advanced customization, Advanced Editor can be selected to open the JSON representation of the current workbook, and then further customize it in the text editor. Your changes can be saved in the existing workbook or you can also save them as another workbook. When you are done with all the customization, you can exit the edit mode by selecting Done Editing.

Explore Azure Sentinel repository on GitHub  

The Azure Sentinel repository is known for its out-of-the-box detections, exploration queries, hunting queries, workbooks, playbooks, and much more to help you secure your environment as well as detect threats. Microsoft and the Azure Sentinel community readily contributes to this repository.

The repository contains folders with contributed content for several areas of Azure Sentinel functionality, including detection queries. The code from these queries can also be used to create custom queries in your Azure Sentinel workspace.

Create a New Azure Sentinel Workbook

Besides using the built-in templates to create a customized workbook, custom workbooks can also be created from the beginning to produce highly interactive reports that contains, texts, analytic queries, metrics, and parameters.

Create a custom workbook

You can easily create a custom workbook by simply selecting +Add workbook on the header bar from the workbooks page in Azure Sentinel after which the New workbook page opens, which contains a basic analytics query to get you started. 

Tip- Each workbook that you create is saved as a workbook resource in the Azure Sentinel resource group.

Each workbook offers a rich set of capabilities for visualizing the security data collected from the connectors. You can also design your workbook with the following visualization types and elements:    

  • Text
  • Query
  • Parameters
  • Links/Tabs
  • Metric 

A new element can also be added to your workbook by selecting +Add.

Text Visualizations

Text blocks can be used to interpret your security data, section headings, telemetry data, and the other information. The text can be edited by using the Markdown markup language, which provides different formatting options for heading, font styles, hyperlinks, and tables.

Note- Markdown is a markup language that you can use to format text in plain-text documents. 

After the addition of the text, you can select the Preview tab to preview how your content will appear and finally when you complete editing the text, you can simply select the Done Editing option.

Query item

Different queries can be selected from the logos and the data can be visualized text, charts, or grids. You write the query using KQL, and then format the data using various visualizations including:
  • Grids (or tables)
  • Area charts
  • Bar charts
  • Line charts
  • Pie charts
  • Scatter charts
  • Time charts
  • Tiles

 On the header bar, several fields are offered to provide you the options to tune the output of the query:

Name

Description

Run Query

Use this option to test the result of the query.

Samples

Microsoft provides sample code that contains sample queries that you can add to the workbook.

Data Source

Use this option to specify the data source for the query.

Resource Type

Use this option to select the type of resource.

Log Analytics workspace

Use this option if you want to query data against more than one resource.

Time Range

Use this option to specify a time range parameter to use in the query.

Visualization

Use this option to choose a specific visualization or choose Set by Query to present the data in a different format.

Size

Use this option to choose the size of the visualization element.

Color Palette

Use this option to choose specific series colors in chart settings.

After you are done customizing the settings and styles, you have to remember to save the step by selecting Done Editing.

Chart visualizations

When you create a query to present the security data as charts, you can customize:
  • Height
  • Width
  • Color Palette
  • Legend
  • Tiles
  • Axis types and series

Parameters

Parameters can be used in your interactive workbook to manipulate the results of the query in different ways. The following parameter types can be created:
  • Text- You can enter arbitrary text.
  • Drop-down- You can modify the appearance of a query step to include a drop-down menu, in which you can select a value from a set of values. In this parameter type you can enter a KQL query or a JSON string to provide the choices for the drop-down list.
  • Options group- You can group multiple properties into group.
  • Time range picker- You can select from prepopulated time ranges or select a custom range.
  • Resource picker- You can select one or more Azure resources.
  • You can select one or more subscription resources.
  • Resource type- You can select one or more Azure resource type values.
  • You can select one or more Azure location values. 

The variables can be reviewed on the Previews section on the New Parameter page that will be displayed and used in the query code. 

Links/Tabs

Links/tabs can be added to customize the navigation in the workbook with tabs, lists, paragraphs, or bullet list. You can also provide the following inputs while adding a new links/tabs step:
  • Text before link- Use this option to display the text before the link is selected.
  • Link text- Use this option to specify the actual text that is displayed in the link.
  • Text after link- Use this option to indicate the text that is displayed after the link is selected.
  • Action- Use this option to specify the action that will be performed when you select the link such as Url, Set a parameter value, and Scroll to a step.
  • Value- Use this option to indicate a value for the link.
  • Settings- Use this option to configure specific settings based on the link type, and support parameter syntax.
  • Context- Use this option to open a new context panel to the side instead of a full view.
  • Style- Use this option to select between Link, Button (primary), Button (secondary) style. 

A new tab can also be added by simply selecting TABS from the Style drop-down menu on the header bar.

Metric steps

Metric steps are used to combine the results of the workbook with metric from different Azure resources. After you are done making all your custom modifications to your workbook, you should save the workbook by selecting Done Editing.

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more