Microsoft Sentinel Workbooks that All SOCs Should Have.

March 8, 2021|Nate Ruzicka

01-azure-sentinel-workbooks-that-all-socs-should-have

Get more value out of your data for free with Workbooks.

Microsoft Sentinel Workbooks allow security analysts and admins to view data about security in their environment using graphical displays. This is a powerful tool because any data that can be queried can now also be displayed in an easy-to-understand graphical format.

Charts like the example above can tell us information like which MITRE tactics are most common in our environment. This information is useful for determining what information security areas and controls our cybersecurity team needs to focus on. Workbooks display information that would normally be too technical to feasibly display to most other users in a very understandable format.

In this blog, we highlight some of our favorite Microsoft Sentinel Workbooks that security analysts and admins can use to view their data. All these Workbooks are publicly available and can be used as long as there is sufficient data available in the environment for the user to query. For privacy reasons the data displayed in this blog will be from a testing environment.

CMMC

The Cybersecurity Maturity Model Certification framework uses a maturity model to determine the level of security in an organization. The CMMC Workbook has both the description of each maturity level and has graphical displays of the current security in the Microsoft environment to help with determining if it meets the security requirements for the different maturity levels.

Workspace Auditing

This Workbook goes over data about the log analytic workspaces that each Microsoft Sentinel instance is connected to. There are tabs that go over who is querying the workspace and how often. This can be used both for tracking advanced hunting activity and seeing what kind of information is being searched for the most.

There is also a “CRUD Operations” tab that has information about all the create, read, update, and delete activity that is happening on the workspace. This is useful for seeing what kind of administrative activity is happening in the workspace and who is taking these actions.

Data Collection Health Monitoring

This Workbook collects metadata about the type of data that is being collected in each Log Analytic Workspace. This is useful for determining features of incoming data like the volume of data, type of data, and frequency that data appears. There is also a tab for anomalous data, which is useful for investigating unusual floods or droughts of expected data based on how much was collected historically.

Investigation Insights

This Workbook is focused on Sentinel incident investigations and what happened during those incidents. An incidents timeline and a list of incidents that happened over the set time are available in the top section. An incident can be selected from the list to view additional details about the incident like the alerts associated with it. Near the bottom of the Workbook there is also a section called “Entity Insights” where the user can search for incidents that have a specific IP address, account, host, URL, or file hash associated with it.

User & Entity Behavior Analytics

The UEBA feature is a recent addition to Microsoft Sentinel that allows it to track unusual user behavior and raise alerts based on that unusual behavior. The Workbook based on UEBA takes information from the behavior analytics and displays it in the form of interactive charts. A list of users that have been showing suspicious behavior in the timeframe is listed near the top of the Workbook, and each of them can be selected to view what kind of unusual or suspicious behavior that user has been up to.

We will continue to share best practices and lessons learned in future posts on monitoring data using Microsoft Sentinel Workbooks in customer environments. Massive amounts of data and analytics are being collected constantly, and Microsoft Sentinel Workbooks are going to continue to be a handy tool for turning that raw data into useful information.

In closing, consider these three questions when using Microsoft Sentinel Workbooks in your organization:

Are we having issues understanding and communicating the insights from the data we are collecting?

What kind of information are we having trouble finding and can we use Workbooks to help with finding it?

Do we have any query writing experts on our team that could help us customize and create our own Workbooks?

How Can We Help?

Main Contact Form

First Name

Last Name

Company Email

Company Name

Work Phone

Country

How can we help?

Additional Information

By checking this box, you consent to CyberMSI using the information you provided to subscribe you to communications and content from CyberMSI and its partners relevant to your request. Such communications may be in the form of email, phone, or postal service. You may unsubscribe at any time. CyberMSI respects your privacy: for additional details on how CyberMSI uses and protects your information, click here to view our Privacy Policy.