drill down in azure sentinel workbook

Question

In Splunk, we have the drill-down option in the dashboard so is that possible in azure sentinel workbook? consider I have one chart(tile or piechart) so when I click on that I want to open another tab. Is it possible in azure sentinel workbook?

score 0 · Answer 1 · answered Feb 28 '20 at 03:27

0

You can use a custom drill down on almost all Splunk visualisations. Refer to https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/DrilldownIntro and https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/DrilldownLinkToURL

You can edit your dashboards to include a snippet such as the following, which will pass the value that was clicked as an argument to the target URL.

<drilldown>
    <link>
        [target_URL]?q=[$click.value$]
    </link>
</drilldown>

However, Azure Sentinel Workbook will require that you are able to pass parameters as part of the URL.

answered Feb 28 '20 at 03:27

Simon Duff

2,631
2
7
15

Can you provide some guidance or steps on how to do it in azure sentinel because I'm unable to find any documatnion of azure. – Utsav Patel Feb 28 '20 at 05:22
Sorry, I'm a Splunk guy, I know nothing of Sentinel :( – Simon Duff Feb 28 '20 at 22:43

score 0 · Answer 2 · answered Apr 07 '20 at 01:44

0

currently workbooks does not have a way to open up other views purely from selection in charts/grids/etc.

workbooks does allow exporting those selections as parameters within the workbook to allow further drill-in inside the workbook by using those parameters, and i believe there are several sentinel workbooks that do that. A link step in the workbook could use those parameters to create links that would open up other tabs, but the portal itself has limitations on extensions that prevent them to directly open other tabs on selections.

see: workbooks interactivity docs, which has explanations on how to hook that up.

answered Apr 07 '20 at 01:44

John Gardner

24,225
5
58
76

Thanks. I also used export parameter and put the query in hidden mode so it's only visible when parameter export. So there is no other way to proivde proper drill down right? – Utsav Patel Apr 07 '20 at 05:05
depends what the drill down is. if it is opening other views in the portal, or opening other workbooks, you can use links in the various visualizations, or links steps explicitly. so for example, in azure monitor workbooks, if you pick the vm "Key Metrics" template, you'll get a honeycomb view of VM cpu percentage. if you click any individual cpu% in the chart, it will open another template that shows various metrics over time for that specific VM – John Gardner Apr 07 '20 at 18:01

drill down in azure sentinel workbook

2 Answers2