Workbooks
Workbook Overview
Azure Workbooks are interactive, customizable reports that help security analysts visualize and analyze security-related data. Workbooks can aggregate data from multiple sources, allowing analysts to identify patterns, investigate anomalies, and respond to security threats more effectively.
Key Features of Workbooks
Data Integration: Pull in data from Log Analytics, Azure Security Center, Azure Sentinel, and other data sources.
Querying Capabilities: Use Kusto Query Language (KQL) to write complex queries for detailed data analysis.
Flexible Visualizations: Create charts, tables, and graphs to visualize data effectively.
Templates: Leverage pre-built templates for common security scenarios and customize them as needed.
Workbook Setup
Step 1: Access Azure Monitor
Log in to Azure Portal: Go to Azure Portal and log in with your credentials.
Navigate to Azure Monitor: Use the search bar at the top to search for "Azure Monitor" and select it from the results.
Step 2: Open Workbooks
Go to Workbooks: In the Azure Monitor overview pane, select Workbooks under the Insights section.
Step 3: Create a New Workbook
Create a New Workbook:
Click on the New button to start creating a new workbook.
Step 4: Add and Customize Content
Add a Text Block:
Click on the Add button and select Text.
Use this block to add descriptions, titles, or any textual content.
Example: Title: "Security Event Monitoring", Description: "This workbook provides insights into security-related events."
Add a Query Control for Failed Logins:
Click on the Add button and select Query.
Select the data source (e.g., Log Analytics) and write your KQL query to fetch the data.
Example Query:
Visualize this data using a time chart to show failed login attempts over time.
Add a Query Control for Successful Logins:
Add another query block with this KQL query:
Visualize this data using a bar chart to show successful login attempts.
Add a Query Control for High-Severity Alerts:
Add a query block with this KQL query:
Visualize this data using a pie chart to show the distribution of high-severity alerts.
Add Parameters for Filtering:
Click on the Add button and select Parameter to create dynamic inputs for your queries.
Define the parameter type (e.g., dropdown for time range, text box for specific account names) and link it to your queries.
Step 5: Configure and Customize Workbook
Arrange and Format:
Drag and drop the elements to arrange them in your workbook.
Use the formatting options to customize the appearance of your text, queries, and visualizations.
Save the Workbook:
Click on the Save button.
Provide a name, description, and save it in a specific resource group or subscription.
Step 6: Share and Collaborate
Set Permissions:
Go to the Access Control (IAM) section of your workbook and configure permissions to share the workbook with your team.
Share Link:
You can also share the workbook by providing a direct link to it within the Azure Portal.
Example Security Event Workbook Scenario
Let’s create a basic workbook to monitor security events like failed logins, successful logins, and high-severity alerts.
Add Text:
Add a title "Security Event Monitoring" and a description: "This workbook provides insights into failed and successful login attempts, as well as high-severity security alerts."
Add Failed Login Attempts Query:
Add a query block and use the following KQL query:
Visualize this data using a time chart.
Add Successful Login Attempts Query:
Add another query block with this KQL query:
Visualize this data using a bar chart.
Add High-Severity Alerts Query:
Add another query block with this KQL query:
Visualize this data using a pie chart.
Save and Share:
Save the workbook and share it with your team.
Last updated