Investigation Insights Overview

Investigation Insights - Overview

Resource	Link	Notes
Blog article	https://techcommunity.microsoft.com/t5/azure-sentinel/announcing-the-investigation-insights-workbook/ba-p/1816903
Source	https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/InvestigationInsights.json	Remember to open in RAW mode, before you Copy & Paste

Investigation Insights Help

Overview

The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. The workbook leverages multiple data sources to provide detailed views of frequently used information during the analysis of an incident.

Detailed help on this workbook is maintained at the Azure Sentinel Github Wiki.

The workbook is broken up into 2 main sections, Incident Insights and Entity Insights.

Incident Insights

The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.

Entity Insights

The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types:

• IP Address
• Account
• Host
• URL

Workbook Setup

This workbook can be configured using the parameters at the top of the workbook. Some of these parameters are only available in Edit mode.

Parameter	Description
Subscription	Select the Azure subscription where your Azure Sentinel instance resides
Workspace	Select the Azure Log Analytics workspace where your Azure Sentinel data resides
TimeRange	Select the time window you want to Investigate
Investigate by	Investigate by Incident allows you to view Sentinel incident data and investigate by entity, Investigate by Entity allows you to proceed directly to entering the entity data manually for your investigation
Show Incident Trend	Use this toggle, to see additonal data about the Trends over the past (TimeRange), compared to the last 24hours.
Help	Turn on/off this help data, Turn on/off the change log
DefaultUPNSuffix	This parameter is used when the entity data does not include a UPN suffix, the value of this parameter will be the assumed suffix
AlertID	This parameter should be left blank and is hidden when using the workbook
EntityData	This parameter should be left blank and is hidden when using the workbook
EntityType	This parameter should be left blank and is hidden when using the workbook

Data Sources

This workbook leverages a number of different data sources. Most of these data sources are not required for this workbook to function but elements of the workbook may not function if data sources are missing. Our detailed help located on GitHub includes additional information about which data sources are required for specific capabilities of this workbook.

Data Source	Type	Data Connector
Azure Resource Graph	api	Not Applicable
AuditLogs	table	Azure Active Directory
AWSCloudTrail	table	Amazon Web Services
AzureActivity	table	Azure Activity
CommonSecurityLog	table	Multiple Connectors
DnsEvents	table	DNS
OfficeActivity	table	Office 365
ProtectionStatus	table	Azure Security Center with Microsoft Monitoring Agent
SecurityAlert	table	Multiple Connectors
SecurityBaseline	table	Azure Security Center with Microsoft Monitoring Agent
SecurityBaselineSummary	table	Azure Security Center with Microsoft Monitoring Agent
SecurityEvent	table	Security Events
SecurtityIncident	table	Not Applicable
SigninLogs	table	Azure Active Directory
ThreatIntelligenceIndicator	table	Threat Intelligence (Platforms and/or TAXII)
UpdateSummary	table	Azure Security Center with Microsoft Monitoring Agent
Update	table	Azure Security Center with Microsoft Monitoring Agent
VMConnection	table	Azure Monitor VM Insights
W3CIISLog	table	Microsoft Monitoring Agent
WindowsFirewall	table	Windows Firewall