Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Sentinel Workbook description.
Describe the bug A clear and concise description of what the bug is.
I am unable to update Sentinel Workbook description. I am generating terraform code using python and I can deploy all content hub workbooks and custom using following code. Code contain creation of Workbook and metadata resource. While deploying content hub workbooks I can get description via linking "contentId", for custom I can not link to anything nor create custom string/object to insert description (or I don't know how).
resource "azapi_resource" "TF-52bfbd84-1639-480c-bda5-bfc87fd81832" {
type = "Microsoft.Insights/workbooks@2023-06-01"
name = "52bfbd84-1639-480c-bda5-bfc87fd81832"
location = "westeurope"
parent_id = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg"
body = jsonencode({
properties = {
category = "sentinel"
description = trim(<<EOF
Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.
You can learn about all user operations, trends, and anomalous changes over time.
This workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.
EOF
, " ")
displayName = "Azure Activity"
serializedData = trim(<<EOF
{"version":"Notebook/1.0","items":[{"type":9,"content":{"version":"KqlParameterItem/1.0","query":"","parameters":[{"id":"52bfbd84-1639-480c-bda5-bfc87fd81832","version":"KqlParameterItem/1.0","name":"TimeRange","type":4,"isRequired":true,"value":{"durationMs":604800000},"typeSettings":{"selectableValues":[{"durationMs":300000},{"durationMs":900000},{"durationMs":1800000},{"durationMs":3600000},{"durationMs":14400000},{"durationMs":43200000},{"durationMs":86400000},{"durationMs":172800000},{"durationMs":259200000},{"durationMs":604800000},{"durationMs":1209600000},{"durationMs":2419200000},{"durationMs":2592000000},{"durationMs":5184000000},{"durationMs":7776000000}]}},{"id":"eeb5dcf9-e898-46af-9c12-d91d97e13cd3","version":"KqlParameterItem/1.0","name":"Caller","type":2,"isRequired":true,"multiSelect":true,"quote":"'","delimiter":",","query":"AzureActivity\r\n| summarize by Caller","value":["value::all"],"typeSettings":{"additionalResourceOptions":["value::all"],"selectAllValue":"All"},"timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"},{"id":"46375a76-7ae1-4d7e-9082-4191531198a9","version":"KqlParameterItem/1.0","name":"ResourceGroup","type":2,"isRequired":true,"multiSelect":true,"quote":"'","delimiter":",","query":"AzureActivity\r\n| summarize by ResourceGroup","value":["value::all"],"typeSettings":{"resourceTypeFilter":{"microsoft.resources/resourcegroups":true},"additionalResourceOptions":["value::all"],"selectAllValue":"All"},"timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"}],"style":"pills","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"},"name":"parameters - 2"},{"type":3,"content":{"version":"KqlItem/1.0","query":"let data = AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup});\r\ndata\r\n| summarize Count = count() by ResourceGroup\r\n| join kind = fullouter (datatable(ResourceGroup:string)['Medium', 'high', 'low']) on ResourceGroup\r\n| project ResourceGroup = iff(ResourceGroup == '', ResourceGroup1, ResourceGroup), Count = iff(ResourceGroup == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ResourceGroup)\r\n on ResourceGroup\r\n| project-away ResourceGroup1, TimeGenerated\r\n| extend ResourceGroups = ResourceGroup\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ResourceGroup = 'All', ResourceGroups = '*' \r\n)\r\n| order by Count desc\r\n| take 10","size":4,"exportToExcelOptions":"visible","title":"Top 10 active resource groups","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"tiles","tileSettings":{"titleContent":{"columnMatch":"ResourceGroup","formatter":1,"formatOptions":{"showIcon":true}},"leftContent":{"columnMatch":"Count","formatter":12,"formatOptions":{"palette":"auto","showIcon":true},"numberFormat":{"unit":17,"options":{"maximumSignificantDigits":3,"maximumFractionDigits":2}}},"secondaryContent":{"columnMatch":"Trend","formatter":9,"formatOptions":{"palette":"blueOrange","showIcon":true}},"showBorder":false}},"name":"query - 3"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n","size":0,"exportToExcelOptions":"visible","title":"Activities over time","color":"gray","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"linechart","graphSettings":{"type":0}},"name":"query - 1"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"Delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count() by Caller\r\n","size":1,"exportToExcelOptions":"visible","title":"Caller activities","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","gridSettings":{"formatters":[{"columnMatch":"Caller","formatter":0,"formatOptions":{"showIcon":true}},{"columnMatch":"deletions","formatter":4,"formatOptions":{"showIcon":true,"aggregation":"Count"}},{"columnMatch":"creations","formatter":4,"formatOptions":{"palette":"purple","showIcon":true,"aggregation":"Count"}},{"columnMatch":"updates","formatter":4,"formatOptions":{"palette":"gray","showIcon":true,"aggregation":"Count"}},{"columnMatch":"Activities","formatter":4,"formatOptions":{"palette":"greenDark","linkTarget":"GenericDetails","linkIsContextBlade":true,"showIcon":true,"aggregation":"Count","workbookContext":{"componentIdSource":"workbook","resourceIdsSource":"workbook","templateIdSource":"static","templateId":"https://go.microsoft.com/fwlink/?linkid=874159&resourceId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2FresourceGroups%2FSOC&featureName=Workbooks&itemId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2Fresourcegroups%2Fsoc%2Fproviders%2Fmicrosoft.insights%2Fworkbooks%2F4c195aec-747f-40bb-addb-934acb3ec646&name=CiscoASA&func=NavigateToPortalFeature&type=workbook","typeSource":"workbook","gallerySource":"workbook"}}}],"sortBy":[{"itemKey":"$gen_bar_updates_3","sortOrder":2}]}},"name":"query - 1"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity \r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize Informational = countif(Level == \"Informational\"), Warning = countif(Level == \"Warning\"), Error = countif(Level == \"Error\") by bin_at(TimeGenerated, 1h, now())\r\n","size":0,"exportToExcelOptions":"visible","title":"Activities by log level over time","color":"redBright","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"scatterchart","tileSettings":{"showBorder":false},"graphSettings":{"type":2,"topContent":{"columnMatch":"Error","formatter":12,"formatOptions":{"showIcon":true}},"hivesContent":{"columnMatch":"TimeGenerated","formatter":1,"formatOptions":{"showIcon":true}},"nodeIdField":"Error","sourceIdField":"Error","targetIdField":"Error","staticNodeSize":100,"groupByField":"TimeGenerated","hivesMargin":5}},"name":"query - 4"}],"fromTemplateId":"sentinel-AzureActivity","$schema":"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"}
EOF
, " ")
sourceId = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg/providers/microsoft.OperationalInsights/Workspaces/public-cloud-law"
tags = [
"TERRAFORM"
]
version = "1.0"
}
kind = "shared"
})
ignore_body_changes = ["properties.sourceId"]
}
resource "azapi_resource" "MT-52bfbd84-1639-480c-bda5-bfc87fd81832" {
type = "Microsoft.SecurityInsights/metadata@2023-02-01-preview"
name = "52bfbd84-1639-480c-bda5-bfc87fd81832"
parent_id = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourcegroups/public-cloud-law-rg/providers/microsoft.operationalinsights/workspaces/public-cloud-law"
body = jsonencode({
properties = {
author = {
email = "[email protected]"
name = "Microsoft"
}
source = {
kind = "Solution"
name = "Azure Activity"
sourceId = "azuresentinel.azure-sentinel-solution-azureactivity"
}
support = {
email = "[email protected]"
link = "https://support.microsoft.com/"
name = "Microsoft Corporation"
tier = "Microsoft"
}
version = "2.0.0"
kind = "Workbook"
contentId = "AzureActivityWorkbook"
dependencies = {"operator": "AND", "criteria": [{"contentId": "AzureActivity", "kind": "DataType"}, {"contentId": "AzureActivity", "kind": "DataConnector"}]}
parentId = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg/providers/Microsoft.Insights/workbooks/52bfbd84-1639-480c-bda5-bfc87fd81832"
}
})
ignore_body_changes = ["properties.source"]
lifecycle {
ignore_changes = [parent_id]
}
}
parameter responsible for inserting description is contentId = "AzureActivityWorkbook". Description specified in azapi_resource has no effect. How do I customise Description?
It doesn't have to me terraform, API would be ok too.
How it should look like:
Summary: How to modify workbook description using any method: terraform, API, manually.
Hi @bisskar, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 22-04-2024 . Thanks!
Similar question asked in the past (the only topic related to this problem I could really find): https://techcommunity.microsoft.com/t5/microsoft-sentinel/workbook-logos-and-descriptions/m-p/2570122
Some more description regarding post above:
- I am creating Sentinel Workbook using AzApi: "Microsoft.Insights/workbooks@2023-06-01"
- I am creating metadata resource using AzAPI: Microsoft.SecurityInsights/metadata@2023-02-01-preview
None of those contain parameters to modify the Workbook description. Metadata resource can change/add all of the different fields like Content source, Template version, Author, Supported by etc. Manually removing each field I discovered that parameter responsible for Description is contentId. While for OOB Templates this is some kind of link to templates/packageds f.e contentId = "AzureActivityWorkbook. For custom workbooks it is not clear what should be put there.
ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/2023-02-01-preview/metadata?pivots=deployment-language-bicep
I need some guidance how to insert Description using this or another way.
Hi @bisskar, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 22-04-2024 . Thanks!
Hello, any news ?
Hey @bisskar, Sorry for delay in response. We are working on repro this issue from our end. will share update with you once investigation done from our end. Thanks!
Hey @bisskar, Sorry for delay in response. We are working on repro this issue from our end. will share update with you once investigation done from our end. Thanks!
any news?
Hi @bisskar, After replication this issue, we are getting the same result for description which you posted above. so, to check on this we reached out to our concern team. Once we receive any update from our team, we will share with you. Thanks!
Hi @bisskar, After replication this issue, we are getting the same result for description which you posted above. so, to check on this we reached out to our concern team. Once we receive any update from our team, we will share with you. Thanks!
Any news?
Hello @bisskar We appreciate your patience and would like to share update you that after consultation with our relevant team, it has been confirmed that the feature you requested is currently not available. Your request has been noted and added to our feature development queue. Unfortunately, we are unable to provide an ETA for this feature. So, closing this issue from GitHub. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation. Thank you.
I guess workarround would be to create solution https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/README.md
Is it possible to create 'private' one?
Hey @bisskar, As mentioned in comment -https://github.com/Azure/Azure-Sentinel/issues/10318#issuecomment-2148984079, this issue taken up by respective team and they will take it up/ priorities to it. Currently we can't create 'private' one. Thanks!