Deploying hunting workbooks
Within Sentinel, workbooks are made available as a means to build richer and more interactive dashboards over log analytics workspaces. Workbooks can be used to build more powerful dashboards with better drill-down capabilities without having to leverage the full-power and granularity offered by Jupyter notebooks.
It is recommended to read the official Microsoft documentation to get an understanding of how workbooks function.
The hunting folder contains a Sysmon threat hunting workbook inspired by Olaf Hartong's Splunk ThreatHunting App.
The current threat hunting workbook release contains the following tabs:
- Trigger overview tab
- Computer drilldown tab
- File create drilldown tab
- Network connection drilldown tab
- Pipe name drilldown tab
- Process guid drilldown tab
- ATT&CK drilldown tab
- User drilldown tab
NOTE: If you have already deployed Sentinel-ATT&CK by following the getting started guide you can skip the below steps as the Sysmon threat hunting workbook will have already be deployed.
Required: First make sure you have configured the required whitelisting functions in your Sentinel environment and that you understand how to use Sentinel-ATT&CK whitelists
- Sign into your Azure portal
- Head to the Sentinel blade and then click on workbooks under the Threat Management menu
- Download or copy to clipboard the Sysmon threat hunting workbook JSON provided
- Click Add Workbooks
- Click the edit button
- Click on the advanced editor button "</>"
- Within the Gallery Template copy-paste the Sysmon threat hunting workbook json
- Click Apply
- Click on the Save button
A GIF outlining the process above can be seen at the link below:
