You dont have javascript enabled! Please enable it! Import, Export, And Share Workbooks In Microsoft Sentinel - A Comprehensive Guide - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Import, Export, and Share Workbooks in Microsoft Sentinel – A Comprehensive Guide

4 Min. Read

In this guide, we will share with you how to import, export, and share workbooks in Microsoft Sentinel.

Microsoft Sentinel

Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Workbooks is one of many features included in Microsoft Sentinel that falls under Threat Management, which you must consider for visualizing your data in Sentinel more effectively.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 1

The good news is that all the different workbook Templates shown in the figure below are pulled live from the Microsoft Sentinel GitHub repository, which I highly encourage you to check out. At the time of this writing, there are 71 templates ready to use. Microsoft is constantly adding new templates.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 2

Additionally, you can also contribute and build your custom workbooks. What if you want to import and export workbooks and share them with others?

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

3) Microsoft Sentinel – To enable Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days, follow the instructions here.

4) Available data in your Microsoft Sentinel/Log Analytics workspace.

Import workbooks

To import workbooks in Microsoft Sentinel, take the following steps:

1) Open Azure Portal and sign in with a user who has Microsoft Sentinel and Azure Workbooks Contributor permissions.

2) Click All services found in the upper left-hand corner. In the list of resources, type Microsoft Sentinel. As you begin typing, the list filters based on your input.

3) Click on Microsoft Sentinel and then select the desired Workspace.

4) From Microsoft Sentinel’s sidebar, select Workbooks under the Threat Management section and then click “+ Add workbook“.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 3

5) Click the Edit button by pressing the pen button as shown in the figure below.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 4

6) Then click on this button “</>” to enter the Advanced Editor.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 5

7) Please delete all the current JSON info Template.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 6

8) For this example, we will use a published template on GitHub called (User Map): https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/UserMap.json

9) Click the RAW button, then select all the text (CTRL+A), then copy it (CTRL+C).

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 7

10) Then back to Microsoft Sentinel paste it (CTRL+V) into the Advanced Editor. Press the Apply button, adjust the workbook settings based on your needs, and then click Save.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 8

11) Give the Workbook a descriptive title, choose where to save the report (Save To), the desired Subscription, the Resource group name, and the Location. If you want to let others in your organization use the workbook, then under Save To select “Shared reports“. If you want this workbook to be available only to you, select “My reports“. Then click Save again.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 9

Once the workbook is imported, you will see it under the My Workbooks tab as shown in the figure below. You can use it by clicking on ‘View saved workbook‘, ‘View template‘, or ‘Delete‘ it.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 10

Export workbooks

To export workbooks in Microsoft Sentinel, take the following steps:

1) Open Azure Portal and sign in with a user who has Microsoft Sentinel and Azure Workbooks Contributor permissions.

2) Click All services found in the upper left-hand corner. In the list of resources, type Sentinel. As you begin typing, the list filters based on your input.

3) Click on Microsoft Sentinel and then select the desired Workspace.

4) From Microsoft Sentinel’s sidebar, select Workbooks under the Threat Management section and then choose the desired workbook that you want to export.

5) Once the workbook page opens, click on the Edit button by pressing the pen button as shown in the figure below.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 11

6) Then click on this button “</>” to enter the Advanced Editor.

7) Then select all the text (CTRL+A) under Gallery Template which is in JSON format, and then copy it (CTRL+C) as shown in the figure below.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 12

8) You can also download the template by pressing the download button as shown in the figure below. The ‘Gallery Template‘ will download the file as .workbook and the ‘ARM Template‘ will be a JSON file. The content of the file is similar to the template shown in the previous step.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 13

9) Open the JSON template with your favorite editor such as Visual Studio Code, and then push it to the GitHub or to Azure DevOps private repository.

Related: Manage Security Content as Code with Microsoft Sentinel.

10) Once you finish click Cancel.

You can repeat the same steps described above to import the workbook.

Sharing workbooks

You can also share workbooks with other users in three simple steps:

1) Select the desired workbook that you want to share from the list of workbooks and then click ‘View saved workbook‘.

2) Once the workbook page opens, click on the share button, then you get a link with the name ‘Share a link to this report‘ on the right-hand side as shown in the figure below.

Import, Export, and Share Workbooks in Microsoft Sentinel - A Comprehensive Guide 14

3) This will give you a link URL that can be shared with other users, however, in order to access that URL, that person must have an Azure account, and must have Microsoft Sentinel Workbook Reader access. Otherwise, they won’t be able to see it. This is not an authenticated link, they need to have a login with sufficient permissions to be able to see that URL.

4) You can also share the link via email which will open the mail app on your machine to send it.

There you have it! Happy Import, Export, and Share Workbooks in Microsoft Sentinel.

Summary

In this article, we showed you how to import and export workbooks in Microsoft Sentinel, so you can work with workbooks more effectively and share with other team members in your organization.

The power of Microsoft Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data through alerts from different security providers, such as Microsoft Defender for Cloud or other Microsoft Defender solutions, as well as other third-party solutions.

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

How To Enable Self-Service Restore in Azure File Sync

Manage Windows Server in the Azure Portal with Windows Admin Center

Next

Let us know what you think, or ask a question...