How to Quickly Replace Code in an Azure Sentinel Workbook

With the recent (and awesome, btw) release of the SOC Process Framework Workbook from my good friend Rin Ure, some of you may be wondering how to accomplish replacing the [CUSTOMER] value with your own SOC’s team or org name – and doing it quickly. So, for our example of how to replace code in JSON in the Workbook editor, we’ll use this new Workbook.

Did you know that the Workbook code editor contains a Find and Replace function?

Once in the code editor (see the following if you’re not familiar: How to Deploy a Workbook to Azure Sentinel from the GitHub Repository), tap Ctrl-F on the keyboard.

Enter the value you want to replace (in this case, its [CUSTOMER]) and then enter the new value. In my case in the screenshot, my SOC’s team name is Bionics Labs.

Once both values are entered, click the Replace all button.

Replace code in the JSON file

As you can see in the next image, the value has been replaced.

Replaced value

This Workbook may not be available for everyone yet, but will be soon. But, if you can’t wait to get your hands on this fantastic tome of knowledge, you can grab it from the GitHub repo here: Azure-Sentinel/SOCProcessFramework.json at master ยท rinure-msft/Azure-Sentinel (

Rin spent almost 4 months on developing this valuable workbook which includes everything from all the graphics to documentation to diagrams and more.

Not to demean any efforts from my great colleagues on the product teams, but this Workbook might be one of the most significant Azure Sentinel releases since the product itself because it integrates SOC operations guidance directly to Azure Sentinel. It gives customers guidance for how to operationalize their SOC around Sentinel. Its just fantastic.

If you get a chance, you should send Rin thanks for his effort, hard work, and vision.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]