workbooks content

Author: batamig

articles/sentinel/get-visibility.md

@@ -24,7 +24,7 @@ If your workspace is onboarded to the unified security operations platform, sele
 
 :::image type="content" source="media/get-visibility/dashboard.png" alt-text="Screenshot of the Microsoft Sentinel Overview dashboard.":::
 
-Data for each section of the dashboard is pre-calculated, and the last refresh time is shown at the top of each section. Select **Refresh** at the top of the page to refresh the entire page.
+Data for each section of the dashboard is precalculated, and the last refresh time is shown at the top of each section. Select **Refresh** at the top of the page to refresh the entire page.
 
 ## View incident data
 
@@ -36,7 +36,7 @@ The following image shows an example of the **Incidents** section on the **Overv
 
 The **Incidents** section lists the following data:
 
-- The number of number of new, active, and closed incidents over the last 24 hours.
+- The number of new, active, and closed incidents over the last 24 hours.
 - The total number of incidents of each severity.
 - The number of closed incidents of each type of closing classification.
 - Incident statuses by creation time, in four hour intervals.
@@ -52,7 +52,7 @@ After deploying automation with Microsoft Sentinel, monitor your workspace's aut
 
 - Start with a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
 
-   Microsoft Sentinel calculates the time saved by automation by finding the average time that a single automation saved, multiplied by the number of incident that were resolved by automation. The formula is as follows:
+   Microsoft Sentinel calculates the time saved by automation by finding the average time that a single automation saved, multiplied by the number of incidents resolved by automation. The formula is as follows:
 
    `(avgWithout - avgWith) * resolvedByAutomation`
 
@@ -64,7 +64,7 @@ After deploying automation with Microsoft Sentinel, monitor your workspace's aut
 
 - Below the summary, a graph summarizes the numbers of actions performed by automation, by type of action.
 
-- At the bottom of the section, find a count of the active automation rules with a link to the automation blade. 
+- At the bottom of the section, find a count of the active automation rules with a link to the **Automation** page. 
 
 Select the **configure automation rules** link to the jump the **Automation** page, where you can configure more automation.
 
@@ -90,10 +90,23 @@ Track data for your analytics rules in the **Analytics** section of the **Overvi
 
 :::image type="content" source="./media/qs-get-visibility/analytics.png" alt-text="Screenshot of the Analytics section in the Microsoft Sentinel Overview page.":::
 
-The number of analytics rules in Microsoft Sentinel are shown by status, including enabled, disabled, and auto-disabled.
+The number of analytics rules in Microsoft Sentinel are shown by status, including enabled, disabled, and autodisabled.
 
 Select the **MITRE view** link to jump to the **MITRE ATT&CK**, where you can view how your environment is protected against MITRE ATT&CK tactics and techniques. Select the **manage analytics rules** link to jump to the **Analytics** page, where you can view and manage the rules that configure how alerts are triggered.
 
+<!--unclear what this section is doing here. doesn't seem to have any connection to workbooks?
+## Create new detections
+
+Generate detections on the [data sources that you connected to Microsoft Sentinel](connect-data-sources.md) to investigate threats in your organization.
+
+When you create a new detection, leverage the detections crafted by Microsoft security researchers that are tailored to the data sources you connected.
+
+To view the installed out-of-the-box detections, go to **Analytics** and then **Rule templates**. This tab contains all the installed Microsoft Sentinel rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel to install product solutions or standalone content.
+
+   ![Use built-in detections to find threats with Microsoft Sentinel](media/tutorial-detect-built-in/view-oob-detections.png)
+
+For more information about getting out-of-the-box detections, see [Get built-in-analytics](detect-threats-built-in.md).
+-->
 ## Next steps
 
 Use workbook templates to dive deeper into events generated across your environment. For more information, see [Visualize log and query data with Microsoft Sentinel workbooks](workbooks.md).

articles/sentinel/monitor-your-data.md

@@ -3,7 +3,7 @@ title: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Doc
 description: Learn how to visualize your data using workbooks in Microsoft Sentinel.
 author: yelevin
 ms.topic: how-to
-ms.date: 03/07/2024
+ms.date: 05/22/2024
 ms.author: yelevin
 appliesto:
     - Microsoft Sentinel in the Azure portal
@@ -13,7 +13,9 @@ ms.collection: usx-security
 
 # Visualize and monitor your data by using workbooks in Microsoft Sentinel
 
-After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using workbooks in Microsoft Sentinel. Microsoft Sentinel allows you to create custom workbooks across your data or, use existing workbook templates available with packaged solutions or as standalone content from the content hub. These templates allow you to quickly gain insights across your data as soon as you connect a data source.
+After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using workbooks in Microsoft Sentinel. Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and add tables and charts with analytics for your logs and queries to the tools already available in Azure.
+
+Microsoft Sentinel allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. Each workbook is an Azure resource like any other, and you can assign it with Azure role-based access control (RBAC) to define and limit who can access.
 
 This article describes how to visualize your data in Microsoft Sentinel by using workbooks.
 
@@ -24,6 +26,7 @@ This article describes how to visualize your data in Microsoft Sentinel by using
 - You must have at least **Workbook reader** or **Workbook contributor** permissions on the resource group of the Microsoft Sentinel workspace.
 
    The workbooks that you see in Microsoft Sentinel are saved within the Microsoft Sentinel workspace's resource group and are tagged by the workspace in which they were created.
+
 - To use a workbook template, install the solution that contains the workbook or install the workbook as a standalone item from the **Content Hub**. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ## Create a workbook from a template
@@ -50,18 +53,25 @@ Use a template installed from the content hub to create a workbook.
 
     [ ![Screenshot that shows the saved workbook.](media/monitor-your-data/workbook-graph.png) ](media/monitor-your-data/workbook-graph.png#lightbox)
 
-   To clone your workbook, select **Edit** and then **Save as**. Save the clone with another name, under the same subscription and resource group. Cloned workbooks are displayed under the **My workbooks** tab.
+    For example, select the **TimeRange** filter to view data for a different time range than the current selection. To edit a specific workbook area, either select **Edit** or select the ellipsis (**...**) to add elements, or move, clone, or remove the area.
+
+    To clone your workbook, select **Save as**. Save the clone with another name, under the same subscription and resource group. Cloned workbooks are displayed under the **My workbooks** tab.
 
 1. When you're done, select **Save** to save your changes.
 
-For more information, see how to [Create interactive reports with Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md).
+For more information, see:
+
+- [Create interactive reports with Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md)
+- [Tutorial: Visual data in Log Analytics](../azure-monitor/visualize/tutorial-logs-dashboards.md)
 
 ## Create new workbook
 
 Create a workbook from scratch in Microsoft Sentinel.
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Workbooks**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Workbooks**.
+
 1. Select **Add workbook**.
+
 1. To edit the workbook, select **Edit**, and then add text, queries, and parameters as necessary. For more information on how to customize the workbook, see how to [Create interactive reports with Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md). 
 
     [ ![Screenshot that shows a new workbook.](media/monitor-your-data/create-workbook.png) ](media/monitor-your-data/create-workbook.png#lightbox)
@@ -80,6 +90,12 @@ Create a workbook from scratch in Microsoft Sentinel.
 
     [ ![Switch workbooks.](media/monitor-your-data/switch-workbooks.png) ](media/monitor-your-data/switch-workbooks.png#lightbox)
 
+## Create new tiles for your workbooks
+
+To add a custom tile to a Microsoft Sentinel workbook, first create the tile in Log Analytics. For more information, see [Visual data in Log Analytics](../azure-monitor/visualize/tutorial-logs-dashboards.md). 
+
+Once you create a tile, select **Pin** and then select the workbook where you want the tile to appear.
+
 ## Refresh your workbook data
 
 Refresh your workbook to display updated data. In the toolbar, select one of the following options:
@@ -110,6 +126,64 @@ To print a workbook, or save it as a PDF, use the options menu to the right of t
 
 To delete a saved workbook, either a saved template or a customized workbook, select the saved workbook that you want to delete and select **Delete**. This action removes the saved workbook. It also removes the workbook resource and any changes you made to the template. The original template remains available.
 
+
+## Workbook recommendations
+
+This section reviews basic recommendations we have for using Microsoft Sentinel workbooks.
+
+### Add Microsoft Entra ID workbooks
+
+If you use Microsoft Entra ID with Microsoft Sentinel, we recommend that you install the Microsoft Entra solution for Microsoft Sentinel and use the following workbooks:
+
+- **Microsoft Entra sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbook provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins. 
+- **Microsoft Entra audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications.  
+
+### Add firewall workbooks
+
+We recommend that you install the appropriate solution from the **Content hub** to add a workbook for your firewall.
+
+For example, install the Palo Alto firewall solution for Microsoft Sentinel to add the Palo Alto workbooks. The workbooks analyze your firewall traffic, providing you with correlations between your firewall data and threat events, and highlight suspicious events across entities.
+
+![Screenshot of the Palo Alto workbook](./media/qs-get-visibility/palo-alto-week-query.png)
+
+### Create different workbooks for different uses
+
+We recommend creating different visualizations for each type of persona that uses workbooks, based on the persona's role and what they're looking for. For example, create a workbook for your network admin that includes the firewall data.
+
+Alternately, create workbooks based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour. For example, you might want to look at your Microsoft Entra sign-ins every hour to search for anomalies.
+
+### Sample query for comparing traffic trends across weeks
+
+Use the following query to create a visualization that compares traffic trends across weeks. Switch the device vendor and data source you run the query on, depending on your environment.
+
+The following sample query uses the **SecurityEvent** table from Windows. You might want to switch it to run on the **AzureActivity** or **CommonSecurityLog** table, on any other firewall.
+
+```kusto
+// week over week query
+SecurityEvent
+| where TimeGenerated > ago(14d)
+| summarize count() by bin(TimeGenerated, 1d)
+| extend Week = iff(TimeGenerated>ago(7d), "This Week", "Last Week"), TimeGenerated = iff(TimeGenerated>ago(7d), TimeGenerated, TimeGenerated + 7d)
+```
+
+### Sample query with data from multiple sources
+
+You might want to create a query that incorporates data from multiples sources. For example, create a query that looks at Microsoft Entra audit logs for new users that were created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation. That suspicious activity would show up in a visualization with the following query:
+
+```kusto
+AuditLogs
+| where OperationName == "Add user"
+| project AddedTime = TimeGenerated, user = tostring(TargetResources[0].userPrincipalName)
+| join (AzureActivity
+| where OperationName == "Create role assignment"
+| project OperationName, RoleAssignmentTime = TimeGenerated, user = Caller) on user
+| project-away user1
+```
+
 ## Related articles
 
-To learn about popular built-in workbooks, see [Commonly used Microsoft Sentinel workbooks](top-workbooks.md). 
+For more information, see:
+
+- [Commonly used Microsoft Sentinel workbooks](top-workbooks.md)
+
+- [Azure Monitor workbooks](/azure/azure-monitor/visualize/workbooks-overview)