How to Deploy a Workbook to Azure Sentinel from the GitHub Repository

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it is a copy/paste operation. This guidance is specific to an Workbook.

How to do it

Azure Sentinel Workbooks are located in the Workbooks folder of the GitHub repo. Locate an Analytics Rule you want in the GitHub Repo. Click the “Raw” button on the page to “sanitize” the code. Sanitizing code ensures there’s no hidden characters or bad formatting.

Sanitizing the code

Jump back into the Azure Sentinel console and choose the “Add workbook” option from the Workbooks blade.

Add a workbook

Once the sample Workbook displays, select Edit mode, then choose the Advanced editor (</>) icon.

Edit to Advanced Code

Click back to the Workbook code on the GitHub repo and select ALL the sanitized code and copy it (Ctrl-A is a quick keyboard method). Once the code has been copied replace ALL the sample code in the Gallery Template space with the code you copied from the GitHub repo. Then, click the Apply button.

Copy/Paste/Apply

When you Apply the code change, the new Workbook will display. Finish up by clicking the Save (diskette) icon, give the Workbook a unique name, and click the Save button. The Workbook has now been deployed.

Name it and save it

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author