Learning Path 9 - Lab 1 - Exercise 9 - Create workbooks

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. Once you have connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards.

Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

Important: The lab exercises for Learning Path #9 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 30 minutes

Task 1: Explore workbook templates

In this task, you will explore the Microsoft Sentinel workbook templates.

Note: Microsoft Sentinel has been predeployed in your Azure subscription with the name defenderWorkspace, and the required Content Hub solutions have been installed.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. In the Edge browser, navigate to Defender XDR at https://security.microsoft.com.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

    Note: You may be prompted to enter the Temporary Access Pass (TAP) instead of a password. This is also provided in the resources tab. If prompted, copy and paste the TAP value and select Sign in.

  6. In the Microsoft Defender navigation menu, scroll down and expand the Microsoft Sentinel section.

  7. Expand the Threat Management section and select Workbooks.

  8. Select the Templates tab, and search for and select the Azure Activity template workbook.

  9. In the right details pane, scroll down and select the View template button.

  10. Review the contents of the workbook. It shows insights of your Azure subscription operations by collecting and analyzing the data from the Activity Log.

  11. Return to the the **Microsoft Sentinel Threat management Workbooks** page in the Defender XDR navigation menu.

Task 2: Save and modify a workbook template

In this task, you will save a workbook template and modify it.

  1. Select the Templates tab, and select the Azure Activity workbook.

  2. Scroll down again and select the Save button in the Azure Activity workbook details pane.

  3. Leave East US as the default value for Region and select OK.

  4. Select the View saved workbook button.

  5. Select Edit in the command bar to enable changes in the workbook.

  6. Scroll down to the Caller activities area, look at the color of the Activities column since we are going to format those columns. Select the Edit button below the grid.

  7. Select the Verical layout button, it is located to the right of the Run Query command bar. Hint: This button only appears if there is data from the KQL query.

  8. Select the Visual Formatting tab in the command bar, it is the bar chart icon.

  9. In the Visualization settings expand Column settings.

  10. In the Columns list, select Activities.

  11. Change the value for Column renderer to Heatmap. For Color palette, scroll down to select Categorical.

  12. Notice the change in the Activities column.

  13. Select Done Editing at the bottom of the query (not the top menu).

  14. Now select Done Editing at the top menu, and then select the Save icon.

  15. Return to the the **Microsoft Sentinel Threat management Workbooks** page in the Defender XDR navigation menu.
  16. You should see your new workbook under the My workbooks tab with the name Azure Activity.

Task 3: Create a Workbook

In this task, you will create a new workbook with advanced visualizations.

  1. You should be back at the Workbooks area of Microsoft Sentinel.

  2. Select + Add workbook to create a new workbook from scratch.

    Note: Although it is a new workbook, a startup template is used.

  3. To edit the workbook, select Edit from the top, main menu.

  4. Select the Edit button next to paragraph of the workbook.

  5. Type # My workbook in a new line on top of ## New workbook.

  6. Select Done Editing on the bottom of this section, Editing text item: text - 2. Notice that your header increased size and name changed.

  7. Select Edit next to the only visible barchart graph.

  8. Review the KQL statement that provides a union statement of counts across all tables.

  9. Scroll down and select the Cancel on the bottom menu, for the Editing query item: query - 2.

  10. Select Dropdown arrow next to the Edit button of the barchart graph, then select + Add, then select Add data source + visualization.

  11. Type SecurityEvent into the query box.

  12. Change the Time Range to Last hour.

  13. Change the Visualization to Time chart.

  14. Select the Visual Formatting tab in the command bar, it is the bar chart icon.

  15. Scroll down and select Size under Layout Settings.

  16. Select the Make this item a custom width box.

  17. Set the Percent width to 25 and Maximum width to 25.

  18. Now select Advanced Settings tab from the query’s command bar.

  19. Select Show refresh icon when not editing box.

  20. Scroll down and select Done Editing on the bottom menu, for the new Editing query item: query - 2.

  21. Scroll down and at the bottom of the workbook select + Add, then select Add data source + visualization..

  22. Type SecurityEvent into the query box.

  23. Change the Time Range to Last hour.

  24. Change the Visualization to Grid.

  25. Select the Visual Formatting tab in the command bar, it is the bar chart icon.

  26. Scroll down and select Size under Layout Settings.

  27. Select the Make this item a custom width box.

  28. Set the Percent width to 75 and Maximum width to 75.

  29. Scroll down and select Done Editing on the bottom menu, for the new Editing query item: query - 3.

  30. Select Done Editing in Workbook’s top command bar.

  31. Select the Save icon,

  32. In the popup box, change the Title to My Workbook.

  33. Leave other values as default.

  34. Select Apply to commit the changes.

  35. Return to the the **Microsoft Sentinel Threat management Workbooks** page in the Defender XDR navigation menu.

  36. Back in the Workbooks page, select the My workbooks tab.

  37. Select the workbook you just created, My workbook.

  38. On the right pane, select View saved workbook to review your workbook.

You have completed the lab.