In this guide, we will share with you how to import, export, and share workbooks in Microsoft Sentinel.
Table of Contents
Microsoft Sentinel
Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Workbooks is one of many features included in Microsoft Sentinel that falls under Threat Management, which you must consider for visualizing your data in Sentinel more effectively.
The good news is that all the different workbook Templates shown in the figure below are pulled live from the Microsoft Sentinel GitHub repository, which I highly encourage you to check out. At the time of this writing, there are 71 templates ready to use. Microsoft is constantly adding new templates.
Additionally, you can also contribute and build your custom workbooks. What if you want to import and export workbooks and share them with others?
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
3) Microsoft Sentinel – To enable Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days, follow the instructions here.
4) Available data in your Microsoft Sentinel/Log Analytics workspace.
Import workbooks
To import workbooks in Microsoft Sentinel, take the following steps:
1) Open Azure Portal and sign in with a user who has Microsoft Sentinel and Azure Workbooks Contributor permissions.
2) Click All services found in the upper left-hand corner. In the list of resources, type Microsoft Sentinel. As you begin typing, the list filters based on your input.
3) Click on Microsoft Sentinel and then select the desired Workspace.
4) From Microsoft Sentinel’s sidebar, select Workbooks under the Threat Management section and then click “+ Add workbook“.
5) Click the Edit button by pressing the pen button as shown in the figure below.
6) Then click on this button “</>” to enter the Advanced Editor.
7) Please delete all the current JSON info Template.
8) For this example, we will use a published template on GitHub called (User Map): https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/UserMap.json
9) Click the RAW button, then select all the text (CTRL+A), then copy it (CTRL+C).
10) Then back to Microsoft Sentinel paste it (CTRL+V) into the Advanced Editor. Press the Apply button, adjust the workbook settings based on your needs, and then click Save.
11) Give the Workbook a descriptive title, choose where to save the report (Save To), the desired Subscription, the Resource group name, and the Location. If you want to let others in your organization use the workbook, then under Save To select “Shared reports“. If you want this workbook to be available only to you, select “My reports“. Then click Save again.
Once the workbook is imported, you will see it under the My Workbooks tab as shown in the figure below. You can use it by clicking on ‘View saved workbook‘, ‘View template‘, or ‘Delete‘ it.
Export workbooks
To export workbooks in Microsoft Sentinel, take the following steps:
1) Open Azure Portal and sign in with a user who has Microsoft Sentinel and Azure Workbooks Contributor permissions.
2) Click All services found in the upper left-hand corner. In the list of resources, type Sentinel. As you begin typing, the list filters based on your input.
3) Click on Microsoft Sentinel and then select the desired Workspace.
4) From Microsoft Sentinel’s sidebar, select Workbooks under the Threat Management section and then choose the desired workbook that you want to export.
5) Once the workbook page opens, click on the Edit button by pressing the pen button as shown in the figure below.
6) Then click on this button “</>” to enter the Advanced Editor.
7) Then select all the text (CTRL+A) under Gallery Template which is in JSON format, and then copy it (CTRL+C) as shown in the figure below.
8) You can also download the template by pressing the download button as shown in the figure below. The ‘Gallery Template‘ will download the file as .workbook and the ‘ARM Template‘ will be a JSON file. The content of the file is similar to the template shown in the previous step.
9) Open the JSON template with your favorite editor such as Visual Studio Code, and then push it to the GitHub or to Azure DevOps private repository.
Related: Manage Security Content as Code with Microsoft Sentinel.
10) Once you finish click Cancel.
You can repeat the same steps described above to import the workbook.
Sharing workbooks
You can also share workbooks with other users in three simple steps:
1) Select the desired workbook that you want to share from the list of workbooks and then click ‘View saved workbook‘.
2) Once the workbook page opens, click on the share button, then you get a link with the name ‘Share a link to this report‘ on the right-hand side as shown in the figure below.
3) This will give you a link URL that can be shared with other users, however, in order to access that URL, that person must have an Azure account, and must have Microsoft Sentinel Workbook Reader access. Otherwise, they won’t be able to see it. This is not an authenticated link, they need to have a login with sufficient permissions to be able to see that URL.
4) You can also share the link via email which will open the mail app on your machine to send it.
There you have it! Happy Import, Export, and Share Workbooks in Microsoft Sentinel.
Summary
In this article, we showed you how to import and export workbooks in Microsoft Sentinel, so you can work with workbooks more effectively and share with other team members in your organization.
The power of Microsoft Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data through alerts from different security providers, such as Microsoft Defender for Cloud or other Microsoft Defender solutions, as well as other third-party solutions.
Additional resources I highly encourage you to check:
- To learn about Microsoft Sentinel, check the official documentation from Microsoft.
- To learn about Workbooks, check the Microsoft Sentinel Workbooks 101 guide.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
