You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: View aggregated data from the Overview | Microsoft Sentinel
3
3
description: Learn how to quickly view and monitor what's happening across your environment by using Microsoft Sentinel.
4
-
author: yelevin
4
+
author: batamig
5
5
ms.topic: how-to
6
-
ms.date: 05/19/2024
7
-
ms.author: yelevin
6
+
ms.date: 05/21/2024
7
+
ms.author: bagol
8
+
appliesto:
9
+
- Microsoft Sentinel in the Azure portal
10
+
- Microsoft Sentinel in the Microsoft Defender portal
11
+
ms.collection: usx-security
12
+
#customerIntent: As a security analyst, I want to learn how to get an initial view into Microsoft Sentinel data generated for my environment.
8
13
---
9
14
10
-
# Visualize collected data
15
+
# Visualize collected data on the Overview page
11
16
12
-
In this article, you will learn how to quickly be able to view and monitor what's happening across your environment using Microsoft Sentinel.
17
+
After connecting your data sources to Microsoft Sentinel, use the **Overview** page to view, monitor, and analyze activities across your environment. This article describes the widgets and graphs available on Microsoft Sentinel's **Overview** dashboard.
13
18
14
-
After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use workbook templates or create a new workbook easily, from scratch or based on an existing workbook.
To visualize and get analysis of what's happening on your environment, first, take a look at the overview dashboard to get an idea of the security posture of your organization. To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses a fusion technique to correlate alerts into incidents. **Incidents** are groups of related alerts that together create an actionable incident that you can investigate and resolve.
23
+
- Make sure that you have reader access to Microsoft Sentinel resources. For more information, see [Roles and permissions in Microsoft Sentinel](roles.md).
19
24
20
-
In the Azure portal, select Microsoft Sentinel and then select the workspace you want to monitor.
25
+
## Access the Overview page
21
26
22
-
:::image type="content" source="./media/qs-get-visibility/overview.png" alt-text="Screenshot of the Microsoft Sentinel overview page." lightbox="./media/qs-get-visibility/overview.png":::
27
+
If your workspace is onboarded to the unified security operations platform, select **General > Overview**. Otherwise, select **Overview** directly. For example:
23
28
24
-
If you want to refresh the data for all sections of the dashboard, select **Refresh** at the top of the dashboard. To improve performance, the data for each section of the dashboard is pre-calculated, and you can see the refresh time at the top of each section.
29
+
:::image type="content" source="media/get-visibility/dashboard.png" alt-text="Screenshot of the Microsoft Sentinel Overview dashboard.":::
25
30
26
-
### View incident data
31
+
Data for each section of the dashboard is precalculated, and the last refresh time is shown at the top of each section. Select **Refresh** at the top of the page to refresh the entire page.
27
32
28
-
You see different types of incident data under **Incidents**.
33
+
## View incident data
34
+
35
+
To help reduce noise and minimize the number of alerts you need to review and investigate, Microsoft Sentinel uses a fusion technique to correlate alerts into *incidents*. Incidents are actionable groups of related alerts for you to investigate and resolve.
36
+
37
+
The following image shows an example of the **Incidents** section on the **Overview** dashboard:
29
38
30
39
:::image type="content" source="./media/qs-get-visibility/incidents.png" alt-text="Screenshot of the Incidents section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/incidents.png":::
31
-
32
-
- On the top left, you see the number of new, active, and closed incidents over the last 24 hours.
33
-
- On the top right, you see incidents organized by severity, and closed incidents by closing classification.
34
-
- On the bottom left, a graph breaks up the incident status by creation time, in four hour intervals.
35
-
- On the bottom right, you can see the mean time to acknowledge an incident and mean time to close, with a link to the SOC efficiency workbook.
36
40
37
-
### View automation data
41
+
The **Incidents** section lists the following data:
42
+
43
+
- The number of new, active, and closed incidents over the last 24 hours.
44
+
- The total number of incidents of each severity.
45
+
- The number of closed incidents of each type of closing classification.
46
+
- Incident statuses by creation time, in four hour intervals.
47
+
- The mean time to acknowledge an incident and the mean time to close an incident, with a link to the SOC efficiency workbook.
48
+
49
+
Select **Manage incidents** to jump to the Microsoft Sentinel **Incidents** page for more details.
38
50
39
-
You see different types of automation data under **Automation**.
51
+
## View automation data
52
+
53
+
After deploying automation with Microsoft Sentinel, monitor your workspace's automation in the **Automation** section of the **Overview** dashboard.
40
54
41
55
:::image type="content" source="./media/qs-get-visibility/automation.png" alt-text="Screenshot of the Automation section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/automation.png":::
42
56
43
-
-At the top, you see a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
57
+
-Start with a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
44
58
45
-
Microsoft Sentinel calculates the time saved by automation by finding the average time that a single automation saved, multiplied by the number of incidents that were resolved by automation. The formula is as follows:
59
+
Microsoft Sentinel calculates the time saved by automation by finding the average time that a single automation saved, multiplied by the number of incidents resolved by automation. The formula is as follows:
46
60
47
61
`(avgWithout - avgWith) * resolvedByAutomation`
48
62
@@ -52,104 +66,42 @@ You see different types of automation data under **Automation**.
52
66
-**avgWith** is the average time it takes for an incident to be resolved by automation.
53
67
-**resolvedByAutomation** is the number of incidents that are resolved by automation.
54
68
69
+
- Below the summary, a graph summarizes the numbers of actions performed by automation, by type of action.
55
70
56
-
- Below the summary, a graph summarizes the numbers of actions performed by automation, by type of action.
57
-
58
-
- At the bottom, you can find a count of the active automation rules with a link to the automation blade.
71
+
- At the bottom of the section, find a count of the active automation rules with a link to the **Automation** page.
59
72
73
+
Select the **configure automation rules** link to the jump the **Automation** page, where you can configure more automation.
60
74
61
-
###View status of data records, data collectors, and threat intelligence
75
+
## View status of data records, data collectors, and threat intelligence
62
76
63
-
You see different types of data on data records, data collectors, and threat intelligence under **Data**.
77
+
In the **Data** section of the **Overview** dashboard, track information on data records, data collectors, and threat intelligence.
64
78
65
79
:::image type="content" source="./media/qs-get-visibility/data.png" alt-text="Screenshot of the Data section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/data.png":::
66
80
67
-
- On the left, a graph shows the number of records that Microsoft Sentinel collected in the last 24 hours, compared to the previous 24 hours, and anomalies detected in that time period.
68
-
- On the top right, you see a summary of the data connector status, divided by unhealthy and active connectors. **Unhealthy connectors** indicate how many connectors have errors. **Active connectors** are connectors with data streaming into Microsoft Sentinel, as measured by a query included in the connector.
69
-
- On the bottom right, you can see threat intelligence records in Microsoft Sentinel, by indicator of compromise.
70
-
71
-
### View analytics data
72
-
73
-
You see data for analytics rules under **Analytics**.
74
-
75
-
:::image type="content" source="./media/qs-get-visibility/analytics.png" alt-text="Screenshot of the Analytics section in the Microsoft Sentinel Overview page.":::
76
-
77
-
You see the number of analytics rules in Microsoft Sentinel, by enabled, disabled, or auto-disabled status.
78
-
79
-
## Use workbooks templates<aname="dashboards"></a>
80
-
81
-
Workbook templates provide integrated data from your connected data sources to let you deep dive into the events generated in those services. Workbook templates include Microsoft Entra ID, Azure activity events, and on-premises, which can be data from Windows Events from servers, from first party alerts, from any third-party including firewall traffic logs, Office 365, and insecure protocols based on Windows events. The workbooks are based on Azure Monitor Workbooks to provide you with enhanced customizability and flexibility in designing your own workbook. For more information, see [Workbooks](../azure-monitor/visualize/workbooks-overview.md).
82
-
83
-
1. Under **Settings**, select **Workbooks**. Under **My workbooks**, you can see all your saved workbook. Under **Templates**, you can see the workbooks templates that are installed. To find more workbook templates, go to the **Content hub** in Microsoft Sentinel to install product solutions or standalone content.
84
-
2. Search for a specific workbook to see the whole list and description of what each offers.
85
-
3. Assuming you use Microsoft Entra ID, to get up and running with Microsoft Sentinel, we recommend that you install the Microsoft Entra solution for Microsoft Sentinel and use the following workbooks:
86
-
-**Microsoft Entra ID**: Use either or both of the following:
87
-
-**Microsoft Entra sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbook provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins.
88
-
-**Microsoft Entra audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications.
89
-
90
-
- Install the appropriate solution to add a workbook for your firewall. For example, install the Palo Alto firewall solution for Microsoft Sentinel to add the Palo Alto workbooks. The workbooks analyze your firewall traffic, providing you with correlations between your firewall data and threat events, and highlight suspicious events across entities. Workbooks provide you with information about trends in your traffic and let you drill down into and filter results.
- The number of records that Microsoft Sentinel collected in the last 24 hours, compared to the previous 24 hours, and anomalies detected in that time period.
93
84
85
+
- A summary of your data connector status, divided by unhealthy and active connectors. **Unhealthy connectors** indicate how many connectors have errors. **Active connectors** are connectors with data streaming into Microsoft Sentinel, as measured by a query included in the connector.
94
86
95
-
You can customize the workbooks either by editing the main query . You can click the button  to go to [Log Analytics to edit the query there](../azure-monitor/logs/log-analytics-tutorial.md), and you can select the ellipsis (...) and select **Customize tile data**, which enables you to edit the main time filter, or remove the specific tiles from the workbook.
87
+
- Threat intelligence records in Microsoft Sentinel, by indicator of compromise.
96
88
97
-
For more information on working with queries, see [Tutorial: Visual data in Log Analytics](../azure-monitor/visualize/tutorial-logs-dashboards.md)
89
+
Select **Manage connectors** to jump to the **Data connectors** page, where you can view and manage your data connectors.
98
90
99
-
### Add a new tile
91
+
##View analytics data
100
92
101
-
If you want to add a new tile, you can add it to an existing workbook, either one that you create or a Microsoft Sentinel built-in workbook.
102
-
1. In Log Analytics, create a tile using the instructions found in [Visual data in Log Analytics](../azure-monitor/visualize/tutorial-logs-dashboards.md).
103
-
2. After the tile is created, under **Pin**, select the workbook in which you want the tile to appear.
93
+
Track data for your analytics rules in the **Analytics** section of the **Overview** dashboard.
104
94
105
-
## Create new workbooks
106
-
107
-
You can create a new workbook from scratch or use a workbook template as the basis for your new workbook.
108
-
109
-
1. To create a new workbook from scratch, select **Workbooks** and then **+New workbook**.
110
-
1. Select the subscription the workbook is created in and give it a descriptive name. Each workbook is an Azure resource like any other, and you can assign it roles (Azure RBAC) to define and limit who can access.
111
-
1. To enable it to show up in your workbooks to pin visualizations to, you have to share it. Click **Share** and then **Manage users**.
112
-
1. Use the **Check access** and **Role assignments** as you would for any other Azure resource. For more information, see [Share Azure workbooks by using Azure RBAC](../azure-portal/azure-portal-dashboard-share-access.md).
113
-
114
-
115
-
## New workbook examples
116
-
117
-
The following sample query enables you to compare trends of traffic across weeks. You can easily switch which device vendor and data source you run the query on. This example uses SecurityEvent from Windows, you can switch it to run on AzureActivity or CommonSecurityLog on any other firewall.
You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Microsoft Entra audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation. That suspicious activity would show up on this dashboard:
128
-
129
-
```console
130
-
AuditLogs
131
-
| where OperationName == "Add user"
132
-
| project AddedTime = TimeGenerated, user = tostring(TargetResources[0].userPrincipalName)
133
-
| join (AzureActivity
134
-
| where OperationName == "Create role assignment"
135
-
| project OperationName, RoleAssignmentTime = TimeGenerated, user = Caller) on user
136
-
| project-away user1
137
-
```
138
-
139
-
You can create different workbooks based on role of person looking at the data and what they're looking for. For example, you can create a workbook for your network admin that includes the firewall data. You can also create workbooks based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour, for example, you might want to look at your Microsoft Entra sign-ins every hour to search for anomalies.
140
-
141
-
## Create new detections
142
-
143
-
Generate detections on the [data sources that you connected to Microsoft Sentinel](connect-data-sources.md) to investigate threats in your organization.
95
+
:::image type="content" source="./media/qs-get-visibility/analytics.png" alt-text="Screenshot of the Analytics section in the Microsoft Sentinel Overview page.":::
144
96
145
-
When you create a new detection, leverage the detections crafted by Microsoft security researchers that are tailored to the data sources you connected.
97
+
The number of analytics rules in Microsoft Sentinel are shown by status, including enabled, disabled, and autodisabled.
146
98
147
-
To view the installed out-of-the-box detections, go to **Analytics** and then **Rule templates**. This tab contains all the installed Microsoft Sentinel rule templates. To find more rule templates, go to the **Content hub**in Microsoft Sentinel to install product solutions or standalone content.
99
+
Select the **MITRE view** link to jump to the **MITRE ATT&CK**, where you can view how your environment is protected against MITRE ATT&CK tactics and techniques. Select the **manage analytics rules** link to jump to the **Analytics**page, where you can view and manage the rules that configure how alerts are triggered.
148
100
149
-
101
+
## Next steps
150
102
151
-
For more information about getting out-of-the-box detections, see [Get built-in-analytics](detect-threats-built-in.md).
103
+
- Use workbook templates to dive deeper into events generated across your environment. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](monitor-your-data.md).
152
104
153
-
## Next steps
105
+
- Turn on Log Analytics query logs to get all queries run from your workspace. For more information, see [Audit Microsoft Sentinel queries and activities](audit-sentinel-data.md).
154
106
155
-
[Detect threats out-of-the-box](detect-threats-built-in.md) and [create custom threat detection rules](detect-threats-custom.md) to automate your responses to threats.
107
+
- Learn about the queries used behind the **Overview** dashboard widgets. For more information, see [Deep dive into Microsoft Sentinel’s new Overview dashboard](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deep-dive-into-microsoft-sentinel-s-new-overview-dashboard/ba-p/3860688).
0 commit comments