Investigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list. This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc. Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.
Workbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are 3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.
Sentinel workbook
We are creating a workbook to list all the active analytics rules with the source table name. We are able to list the analytics rules using Azure resource manager API but unable to display source table name of the rules. Please suggest Also, trying to display the list of analytics rules with zero incident created.Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
Need guidance in designing a workbook and function app with api keys
My requirement is to have a workbook that calls our product's apis and visualizes the data. The data to be visualized is divided into many widgets about 6-8 in total. Hence, I am thinking of creating a http trigger function app when the workbook is loaded. This function app will be provided the context of our product's url, api key, api secret, org_id as environment variables. These params will be provided by customer who deploys the solution. Then, the function app uses the api key, api secret to make a GET call to the product URL. Note this is an outbound connection to a URL. The api call is to fetch objects from an endpoint, il store this response in a _CL table. But I dont want this table to grow in size with each call to the custom endpoint defined by function app. Instead, I want the row to be updated with new response when workbook is loaded again. I don't know if a custom table is ideal for this or maybe there is a different solution? Do please let me know your opinion.
User location in Security Alerts/Incidents logs
Dear Community, I´ve been struggling to find a way to pull out location information for user in security incidents logs. The idea is to have this details on alerts and incidents to generate dashboards (workbooks) and reports. Would you be able to enlight me with ideas/insights? Thanks in advance for your help.
