UserAnalyticsWorkbook.json #11148
Closed
UserAnalyticsWorkbook.json #11148
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please package this Solution using V3 tool |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User-Analytics-Workbook
A custom Sentinel Workbook that provides an overview individual user activities and attributes
Description
The User Analytics Workbook is designed to provide a comprehensive overview of individual user activities and attributes within your organization. This custom solution aggregates and visualizes critical data related to users, including their group memberships, personal information, sign-in activities, recently assigned roles, behaviour analysis, assigned Entra ID (Formerly known as Active Directory (AD)) roles, risk status, and any recent incidents associated with the user.
By consolidating this information into a single, user-friendly workbook, organizations can easily monitor and analyze user behaviour, track changes in roles and responsibilities, and assess potential risks associated with user accounts. This solution enhances your ability to conduct detailed user analytics, supporting better decision-making and improved security oversight.
Business Requirements
• Detailed User Overview: The need to compile and visualize extensive information about user activities and attributes for enhanced monitoring and analysis.
• Behaviour Analysis: The requirement to track and assess user behaviour, including sign-in activities and role changes, to identify potential risks.
• Risk Management: Integration of risk status and recent incidents to provide a holistic view of user-related security concerns.
Prerequisites
• An Active Azure Subscription
• An Active Sentinel Instance
• Sentinel Contributor Role
• Required data sources including Sign-in Logs, Audit Logs, Azure Activity and UEBA logs.
Setup Guide
The following provides step-by-step instructions to deploy the Workbook:
Step 1: Access Microsoft Sentinel
• Sign in to the Azure portal: https://portal.azure.com/.
• In the search bar, type Microsoft Sentinel and click on it from the results.
• Select the appropriate Sentinel workspace where you want to deploy the custom workbook.
Step 2: Navigate to the Workbooks Section
• Once in the Sentinel workspace, on the left-hand panel, scroll down and click on Workbooks under the Threat Management section.
Step 3: Create a New Workbook
• At the top of the Workbooks page, click on the + New button to start creating a custom workbook.
• You’ll now see the workbook editor interface, where you can start designing your custom workbook.
Step 4: Import a Custom Workbook Template
• If you already have a custom workbook template in JSON format, click on the "Advanced Settings" gear icon (⚙️) in the top right corner of the workbook editor.
• In the menu, choose "Edit as Code".
• Copy your custom workbook JSON code and paste it into the code editor.
• Click Apply to load the template into the workbook.
Step 5: Save the Workbook
• Once your custom workbook is ready, click Save at the top of the page.
• Provide a name and description for your workbook.
• Select Save to Microsoft Sentinel or My Workbooks to choose the visibility of the workbook. Saving it to Sentinel will make it available to all users in the workspace.
Solution Insights: Workbook Visuals
image
Change(s):
Created first version
Reason for Change(s):
Uploaded the first version
Testing Completed:
Yes, this workbook is tested successfully and requires the Syslog data connector to be connected.
Checked that the validations are passing and have addressed any issues that are present:
Yes