Tutorial: Visualize and monitor your data
Once you have connected your data sources to Azure Sentinel, you can visualize and monitor the data using the Azure Sentinel adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards. While the Workbooks are displayed differently in Azure Sentinel, it may be useful for you to see how to create interactive reports with Azure Monitor Workbooks. Azure Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.
This tutorial helps you visualize your data in Azure Sentinel.
- Use built-in workbooks
- Create new workbooks
- You must have at least Workbook reader or Workbook contributor permissions on the resource group of the Azure Sentinel workspace.
The workbooks that you can see in Azure Sentinel are saved within the Azure Sentinel workspace's resource group and are tagged by the workspace in which they were created.
Use built-in workbooks
Go to Workbooks and then select Templates to see the full list of Azure Sentinel built-in workbooks. To see which are relevant to the data types you have connected, the Required data types field in each workbook will list the data type next to a green check mark if you already stream relevant data to Azure Sentinel.
Click View template to see the template populated with your data.
To edit the workbook, select Save, and then select the location where you want to save the JSON file for the template.
This creates an Azure resource based on the relevant template and saves the JSON file of the workbook and not the data.
Select View saved workbook. Then, click the Edit button at the top. You can now edit the workbook and customize it according to your needs. For more information on how to customize the workbook, see how to Create interactive reports with Azure Monitor Workbooks.
After you make your changes, you can save the workbook.
You can also clone the workbook: Select Edit and then Save as, making sure to save it with another name, under the same subscription and resource group. These cloned workbooks are displayed under the My workbooks tab.
Create new workbook
Go to Workbooks and then select Add workbook to create a new workbook from scratch.
To edit the workbook, select Edit, and then add text, queries, and parameters as necessary. For more information on how to customize the workbook, see how to Create interactive reports with Azure Monitor Workbooks.
When building a query, make sure the Data source is set to Logs and Resource type is set to Log Analytics, and then choose the relevant workspace(s).
After you create your workbook, save the workbook, making sure you save it under the subscription and resource group of your Azure Sentinel workspace.
If you want to let others in your organization use the workbook, under Save to select Shared reports. If you want this workbook to be available only to you, select My reports.
To switch between workbooks in your workspace, you can select Open in the top pane of any workbook. On the window that opens to the right, switch between workbooks.
How to delete workbooks
To delete a saved workbook (either a saved template or a customized workbook), in the Workbooks page, select the saved workbook that you want to delete and select Delete. This will remove the saved workbook.
This removes the workbook resource as well as any changes you made to the template. The original template will remain available.
In this tutorial, you learned how to visualize your data in Azure Sentinel, using Azure Workbooks.
To learn how to automate your responses to threats, see Set up automated threat responses in Azure Sentinel.