-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Investigation Insights Overview
Resource | Link | Notes |
---|---|---|
Blog article | https://techcommunity.microsoft.com/t5/azure-sentinel/announcing-the-investigation-insights-workbook/ba-p/1816903 | |
Source | https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/InvestigationInsights.json | Remember to open in RAW mode, before you Copy & Paste |
The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. The workbook leverages multiple data sources to provide detailed views of frequently used information during the analysis of an incident.
Detailed help on this workbook is maintained at the Azure Sentinel Github Wiki.
The workbook is broken up into 2 main sections, Incident Insights and Entity Insights.
The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.
The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types:
- IP Address
- Account
- Host
- URL
This workbook can be configured using the parameters at the top of the workbook. Some of these parameters are only available in Edit mode.
Parameter | Description |
---|---|
Subscription | Select the Azure subscription where your Azure Sentinel instance resides |
Workspace | Select the Azure Log Analytics workspace where your Azure Sentinel data resides |
TimeRange | Select the time window you want to Investigate |
Investigate by | Investigate by Incident allows you to view Sentinel incident data and investigate by entity, Investigate by Entity allows you to proceed directly to entering the entity data manually for your investigation |
Show Incident Trend | Use this toggle, to see additonal data about the Trends over the past (TimeRange), compared to the last 24hours. |
Help | Turn on/off this help data, Turn on/off the change log |
DefaultUPNSuffix | This parameter is used when the entity data does not include a UPN suffix, the value of this parameter will be the assumed suffix |
AlertID | This parameter should be left blank and is hidden when using the workbook |
EntityData | This parameter should be left blank and is hidden when using the workbook |
EntityType | This parameter should be left blank and is hidden when using the workbook |
This workbook leverages a number of different data sources. Most of these data sources are not required for this workbook to function but elements of the workbook may not function if data sources are missing. Our detailed help located on GitHub includes additional information about which data sources are required for specific capabilities of this workbook.
Data Source | Type | Data Connector |
---|---|---|
Azure Resource Graph | api | Not Applicable |
AuditLogs | table | Azure Active Directory |
AWSCloudTrail | table | Amazon Web Services |
AzureActivity | table | Azure Activity |
CommonSecurityLog | table | Multiple Connectors |
DnsEvents | table | DNS |
OfficeActivity | table | Office 365 |
ProtectionStatus | table | Azure Security Center with Microsoft Monitoring Agent |
SecurityAlert | table | Multiple Connectors |
SecurityBaseline | table | Azure Security Center with Microsoft Monitoring Agent |
SecurityBaselineSummary | table | Azure Security Center with Microsoft Monitoring Agent |
SecurityEvent | table | Security Events |
SecurtityIncident | table | Not Applicable |
SigninLogs | table | Azure Active Directory |
ThreatIntelligenceIndicator | table | Threat Intelligence (Platforms and/or TAXII) |
UpdateSummary | table | Azure Security Center with Microsoft Monitoring Agent |
Update | table | Azure Security Center with Microsoft Monitoring Agent |
VMConnection | table | Azure Monitor VM Insights |
W3CIISLog | table | Microsoft Monitoring Agent |
WindowsFirewall | table | Windows Firewall |
- Ingest Custom Logs via REST API