Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it is a copy/paste operation. This guidance is specific to an Workbook.
How to do it
Azure Sentinel Workbooks are located in the Workbooks folder of the GitHub repo. Locate an Analytics Rule you want in the GitHub Repo. Click the “Raw” button on the page to “sanitize” the code. Sanitizing code ensures there’s no hidden characters or bad formatting.
Jump back into the Azure Sentinel console and choose the “Add workbook” option from the Workbooks blade.
Once the sample Workbook displays, select Edit mode, then choose the Advanced editor (</>) icon.
Click back to the Workbook code on the GitHub repo and select ALL the sanitized code and copy it (Ctrl-A is a quick keyboard method). Once the code has been copied replace ALL the sample code in the Gallery Template space with the code you copied from the GitHub repo. Then, click the Apply button.
When you Apply the code change, the new Workbook will display. Finish up by clicking the Save (diskette) icon, give the Workbook a unique name, and click the Save button. The Workbook has now been deployed.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
One thought on “How to Deploy a Workbook to Azure Sentinel from the GitHub Repository”
You must log in to post a comment.