Azure-Sentinel/Workbooks
v-rucdu 78f62b6b8a
Merge pull request #2748 from IllusiveNetworks-Labs/Illusive
Illusive
2021-08-27 10:32:33 +05:30
..
Images Merge pull request #2748 from IllusiveNetworks-Labs/Illusive 2021-08-27 10:32:33 +05:30
ADXvsLA.json Update ADXvsLA.json 2021-07-29 11:07:05 +02:00
AIA-Darktrace.json updating workbook version 2021-02-15 17:10:17 +00:00
AIVectraDetectWorkbook.json fix account tab to display UPN instead of UserID 2021-05-17 12:12:05 -07:00
ASC-ComplianceandProtection.json Update ASC-ComplianceandProtection.json 2020-10-13 15:28:16 +03:00
AksSecurity.json Updated Workbook json to fix validation error 2021-06-30 10:24:03 +05:30
AlsidIoA.json remove reference to static resource 2021-04-07 13:45:59 +02:00
AlsidIoE.json More explanations about IoEs 2020-11-26 15:57:00 +01:00
AmazonWebServicesNetworkActivities.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
AmazonWebServicesUserActivities.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
AnalyticsEfficiency.json changing the workspace selector 2021-03-22 15:59:41 +02:00
AzDDoSStandardWorkbook.json Azure Firewall/DDoS Workbooks 2020-10-23 11:19:31 -04:00
AzureActiveDirectoryAuditLogs.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
AzureActiveDirectorySignins.json Update AzureActiveDirectorySignins.json 2021-06-22 17:55:16 +03:00
AzureActivity.json fixed AzureActivity 2021-05-12 19:31:16 +03:00
AzureAuditActivityAndSignin.json AzureAuditActivityAndSignin workbook typo fix 2021-06-15 16:47:11 +05:30
AzureFirewall.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
AzureFirewallWorkbook.json Update AzureFirewallWorkbook.json 2021-08-02 09:01:05 -04:00
AzureInformationProtection.json Update InformationProtection.json 2019-10-02 17:31:49 +03:00
AzureKeyVaultWorkbook.json Update KeyVault workbook 2021-02-02 14:11:14 +02:00
AzureNetworkWatcher.json Fix bug 2020-02-04 22:45:23 -08:00
AzurePurview.json Updating Azure Purview workbook based on results from bug bash 2021-08-13 16:45:24 -07:00
AzureSentinelCost.json removing locale in links 2021-06-22 16:52:59 +02:00
AzureSentinelSecurityAlerts.json Update AzureSentinelSecurityAlerts.json 2020-09-15 20:06:56 -07:00
BETTER_MTD_Workbook.json Update BETTER_MTD_Workbook.json 2021-06-09 14:07:26 +02:00
Barracuda.json changes to workbooks 2019-10-22 15:19:16 +03:00
CheckPoint.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
Cisco.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
CiscoMeraki.json Updated w/ IP data 2021-03-09 14:55:53 -06:00
CiscoUmbrella.json Workbooks: first commit 2020-11-27 16:06:22 +02:00
Citrix.json Updated for review feedback 2020-01-13 06:44:35 -08:00
CitrixWAF.json Rename Citrix WAF.json to CitrixWAF.json 2020-08-21 07:06:16 -07:00
CognniIncidentsWorkbook.json Removed unnecessary `union` from queries 2021-02-28 09:20:55 +02:00
CyberArkEPV.json Revert "Revert "CyberArk 31Jul"" (#975) 2020-08-14 15:20:38 -07:00
CyberpionOverviewWorkbook.json Update CyberpionOverviewWorkbook.json 2021-02-03 10:43:55 +02:00
CybersecurityMaturityModelCertification(CMMC).json fixed content 2021-06-02 14:38:23 +03:00
DataCollectionHealthMonitoring.json Update DataCollectionHealthMonitoring.json 2020-11-03 11:12:59 +02:00
Dns.json Makelist Update 2019-11-25 13:05:31 +00:00
DuoSecurity.json Move New Community Content to Proper Location 2021-06-10 10:41:18 -07:00
EventAnalyzer.json Update EventAnalyzer.json 2020-04-12 09:42:43 +03:00
ExchangeCompromiseHunting.json Update fromTemplateId 2021-03-19 15:52:45 -07:00
ExchangeOnline.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
ExtraHopDetectionSummary.json changes to workbooks 2019-10-22 15:19:16 +03:00
F5BIGIPSystemMetrics.json Update F5BIGIPSystemMetrics.json (#695) 2020-05-18 15:46:43 -07:00
F5Networks.json Update F5Networks.json 2019-10-02 14:17:45 +03:00
ForcepointCASB.json updated time range in json file for workbook (#499) 2020-03-18 16:25:55 -07:00
ForcepointCloudSecuirtyGatewayworkbook.json Changes for ForcepointCloudSecurity 2021-01-20 13:15:01 +05:30
ForcepointDLP.json removed the file from azuredeploy.json and added filter to workbook for forcepoint dlp 2020-02-11 20:40:58 +00:00
ForcepointNGFW.json Update workbook queries, add custom timeframe (#500) 2020-03-18 16:27:02 -07:00
Fortigate.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
GitHubSecurityWorkbook.json more fixes 2020-06-10 02:01:38 +00:00
IOT_Alerts.json Fix IoT workbook template bugs 2020-07-09 10:56:03 +03:00
IdentityAndAccess.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
IllusiveADS.json Illusive cef connector (#730) 2020-07-08 15:42:42 -07:00
IllusiveASM.json Illusive cef connector (#730) 2020-07-08 15:42:42 -07:00
IncidentOverview.json Update IncidentOverview.json 2021-05-26 13:38:56 +03:00
InfobloxNIOS.json ACN_CD_InfobloxUpdate (#879) 2020-07-24 11:54:35 -07:00
InsecureProtocols.json Update InsecureProtocols.json 2020-11-24 16:18:34 -05:00
IntsightsIOCWorkbook.json Add filters and update the screenshots 2021-01-18 12:32:09 +02:00
InvestigationInsights.json Add active colour and export to Excel 2020-12-11 15:15:31 +00:00
IoTAssetDiscovery.json updating locale 2021-03-22 17:51:10 +02:00
LinuxMachines.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
M365SecurityPosture.json Adding M365 Security Posture workbook to go with playbook. 2021-05-24 18:03:49 -04:00
MITREAttack.json updated fields in query 2020-10-09 15:43:19 +00:00
MicrosoftCloudAppSecurity.json Update MicrosoftCloudAppSecurity.json 2019-10-10 14:06:56 +03:00
NormalizedNetworkEvents.json Added normalized networking events workbook 2020-09-15 11:52:24 +03:00
Office365.json Fixed typo for label 2021-06-21 18:28:41 +05:30
OktaSingleSignOn.json 2105120010003403-Okta workbook issue 2021-06-24 19:41:05 +05:30
OnapsisAlarmsOverview.json Adding Onapsis Connector and Workbook (#1303) 2020-11-19 20:24:52 -08:00
OneIdentity.json changes to workbooks 2019-10-22 15:19:16 +03:00
OrcaAlerts.json Orca security workbook (#938) 2020-11-25 14:12:03 -08:00
PaloAltoNetworkThreat.json Palo Alto data connector fixes (#1201) 2020-11-16 13:21:17 -08:00
PaloAltoOverview.json Palo Alto Overview Workbook fix (#1256) 2020-11-16 13:06:32 -08:00
Perimeter81OverviewWorkbook.json Perimeter81 (#613) 2020-05-13 07:48:13 -07:00
ProofpointPOD.json Workbooks: first commit 2020-11-27 16:06:22 +02:00
ProofpointTAP.json Added the proofpoint tap workbook back 2021-07-23 11:22:14 +05:30
PulseConnectSecure.json ACNCD_AzureSentinel-DataConnectors (#706) 2020-06-05 14:14:23 -07:00
QualysVM.json ACNCD_Custom_DataConnector_v2 (#729) 2020-06-19 14:00:16 -07:00
README.md Update README.md 2020-01-31 10:59:13 -08:00
SOCProcessFramework.json Update SOCProcessFramework.json 2021-05-20 18:07:57 -06:00
SecurityOperationsEfficiency.json Update SecurityOperationsEfficiency.json 2021-04-12 12:49:29 +03:00
SecurityStatus.json Update SecurityStatus.json (#2231) 2021-04-29 13:22:27 -07:00
SentinelCentral.json Initial release of a Workbook for MSSPs 2021-03-03 14:02:07 +00:00
SharePointAndOneDrive.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
SolarWindsPostCompromiseHunting.json Removed StS refresh sections 2021-01-20 12:28:24 -08:00
SophosXGFirewall.json ACNCD_DataConnectors_final (#767) 2020-07-07 15:25:53 -07:00
SquadraTechnologiesSecRMM.json Corrections requested by Preeti Krishna on D02102020 at 1300 PST 2020-02-10 13:42:40 -08:00
SymantecProxySG.json ACNCD_AzureSentinel-DataConnectors (#706) 2020-06-05 14:14:23 -07:00
SymantecVIP.json ACNCD_AzureSentinel-DataConnectors (#706) 2020-06-05 14:14:23 -07:00
SysmonThreatHunting.json fix master conflicts 2020-07-02 21:05:26 +02:00
ThreatIntelligence.json updated TI workbook query + metadata version 2021-08-12 11:50:10 -07:00
ThycoticWorkbook.json Thycotic (#1372) 2020-12-01 23:54:39 -08:00
TrendMicroDeepSecurityAttackActivity.json changes to workbooks 2019-10-22 15:19:16 +03:00
TrendMicroDeepSecurityOverview.json changes to workbooks 2019-10-22 15:19:16 +03:00
TrendMicroXDROverview.json Fixed typo in TrendMicro XDR 2021-06-18 10:12:04 +05:30
UnifiSG.json Unifi Security Gateway Connector (#1096) 2021-06-01 11:19:21 -07:00
UnifiSGNetflow.json Unifi Security Gateway Connector (#1096) 2021-06-01 11:19:21 -07:00
UserEntityBehaviorAnalytics.json Update UserEntityBehaviorAnalytics.json 2021-06-17 17:06:54 -04:00
UserMap.json Novermber Update. Add more search options for AAD users if 1000 or more have been found 2020-11-12 14:08:49 +00:00
VMwareCarbonBlack.json ACNCD_Custom_DataConnector_v2 (#729) 2020-06-19 14:00:16 -07:00
VirtualMachinesInsights.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
VisualizationDemo.json Update VisualizationDemo.json 2020-07-13 22:22:45 -04:00
WebApplicationFirewallFirewallEvents.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
WebApplicationFirewallGatewayAccessEvents.json remove resource 2020-07-30 18:28:35 +03:00
WebApplicationFirewallOverview.json changed to gallery templates and added AWS 2019-09-23 09:16:01 +03:00
WebApplicationFirewallWAFTypeEvents.json Update WebApplicationFirewallWAFTypeEvents.json 2020-08-19 13:06:48 +03:00
WindowsFirewall.json Fixed typos in the workbooks (#687) 2020-05-28 09:35:10 -07:00
WorkbooksMetadata.json Merge pull request #2836 from libarson/patch-2 2021-08-17 12:11:02 +05:30
WorkspaceAuditing.json Add files via upload 2020-09-28 17:33:38 +13:00
WorkspaceUsage.json Merge pull request #2420 from samikroy/master 2021-07-01 23:57:30 -07:00
ZeroTrust(TIC3.0).json Update ZeroTrust(TIC3.0).json 2021-04-29 06:38:33 -04:00
ZimperiumWorkbooks.json Update ZimperiumWorkbooks.json 2020-02-19 07:10:02 +02:00
ZscalerFirewall.json changes to workbooks 2019-10-22 15:19:16 +03:00
ZscalerOffice365Apps.json changes to workbooks 2019-10-22 15:19:16 +03:00
ZscalerThreats.json changes to workbooks 2019-10-22 15:19:16 +03:00
ZscalerWebOverview.json changes to workbooks 2019-10-22 15:19:16 +03:00
esetSMCWorkbook.json adding Eset SMC parser (#476) 2020-07-08 17:55:11 -07:00
pfsense.json workbook, connector, parsers 2021-03-02 22:23:45 +00:00

README.md

How to contribute new workbook

This assumes you already have a workbook that you want to share as an Azure Sentinel template.
Once this process is completed, Sentinel users will be able to save an instance of your template that will visualize the data in their own workspace.

To learn how to create workbooks - go to workbooks documentation.

  1. Go to your workbook -> edit mode -> advanced editor.

  2. Copy the gallery template.

  3. Add fromTemplateId to your template - this allows us to identify in our telemetry the specific sentinel workbook that was opened. Please be consistent with the format sentinel-"workbookName", for example (in the end of the gallery template):

     "styleSettings": {},
     "fromTemplateId": "sentinel-MyNewWorkbook",
     "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
    
    
  4. Capture 2 screenshots of your workbook - in dark and light theme (this will eventually be the preview images displayed in the workbooks blade).

Step 2 - Create a pull request to this repository

This pull request will contain:

  • The screenshots of your workbook. Place them under workbooks/images/preview.
    Please be consistent with the filename conventions - the dark theme filename should contain the word "black" and the light theme image should contain the word "white".

  • The gallery template json of your workbook. Place it directly under workbooks directory.

  • (optional) A logo that you want the workbook to display. Place it under workbooks/images/logos - if not supplied - it will be the generic workbooks logo.
    This logo should be in SVG format.

  • Change workbooksMetadata.json file, so that it will contain a new section, which will include:

    {
     "workbookKey": "YourWorkbookKey", // in the format of "<Name>Workbook" - not important what exactly is the name, just make sure it is unique and related to the workbook, for example PaloAltoOverviewWorkbook
    
     "logoFileName": "",//If you added logo - its name goes here
    
     "description": "description of the workbook.", // Will be displayed on the workbooks blade next to the logo and preview images
    
     "dataTypesDependencies": [ "Datatype" ],//The data type(s) that your workbook queries
    
     "dataConnectorsDependencies": [],//Relevant connectors
    
     "previewImagesFileNames": [ ],//The relative path of the preview images you saved under workbooks/images/previews
    
     "version": "1.0", // if this is a new workbook - this should be "1.0"
    
     "title": "Workbook title",//This should be the name of the workbook which will be displayed in the main workbooks blade - for example "Palo Alto overview"
    
     "templateRelativePath": "MyNewWorkbook.json",//The relative path of the JSON of the template (the gallery template you saved) 
    
     "subtitle": "",
    
     "provider": "Microsoft" //The provider of the workbook
     }
    
    

Here is an example of the JSON of Palo Alto workbook:

   {
  "workbookKey": "PaloAltoOverviewWorkbook",
  "logoFileName": "paloalto_logo.svg",
  "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.",
  "dataTypesDependencies": [ "CommonSecurityLog" ],
  "dataConnectorsDependencies": [ "PaloAlto" ],
  "previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
  "version": "1.1",
  "title": "Palo Alto overview",
  "templateRelativePath": "PaloAltoOverview.json",
  "subtitle": "",
  "provider": "Microsoft"
  },

After this PR is approved and completed, every 2 weeks the workbooks in Sentinel will be synced with the ones in github.

How to update an existing workbook

Just create a pull request to this repository in which you change the version of the relevant workbook in the WorkbooksMetadata.json file and change the relevant JSON of the workbook you would like to update. If needed, also update the preview images or the data types.

For any feedback on the instructions Open an issue