search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.57k stars 3k forks source link

Sentinel Workbook description. #10318

Closed bisskar closed 4 months ago

bisskar commented 6 months ago

Describe the bug A clear and concise description of what the bug is.

I am unable to update Sentinel Workbook description. I am generating terraform code using python and I can deploy all content hub workbooks and custom using following code. Code contain creation of Workbook and metadata resource. While deploying content hub workbooks I can get description via linking "contentId", for custom I can not link to anything nor create custom string/object to insert description (or I don't know how).

1


resource "azapi_resource" "TF-52bfbd84-1639-480c-bda5-bfc87fd81832" {
    type = "Microsoft.Insights/workbooks@2023-06-01"
    name = "52bfbd84-1639-480c-bda5-bfc87fd81832"
    location = "westeurope"
    parent_id = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg"
    body = jsonencode({
        properties = {
            category = "sentinel"
            description = trim(<<EOF
                        Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.
You can learn about all user operations, trends, and anomalous changes over time.
This workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.
                        EOF
                        , " ")
            displayName = "Azure Activity"
            serializedData = trim(<<EOF
                        {"version":"Notebook/1.0","items":[{"type":9,"content":{"version":"KqlParameterItem/1.0","query":"","parameters":[{"id":"52bfbd84-1639-480c-bda5-bfc87fd81832","version":"KqlParameterItem/1.0","name":"TimeRange","type":4,"isRequired":true,"value":{"durationMs":604800000},"typeSettings":{"selectableValues":[{"durationMs":300000},{"durationMs":900000},{"durationMs":1800000},{"durationMs":3600000},{"durationMs":14400000},{"durationMs":43200000},{"durationMs":86400000},{"durationMs":172800000},{"durationMs":259200000},{"durationMs":604800000},{"durationMs":1209600000},{"durationMs":2419200000},{"durationMs":2592000000},{"durationMs":5184000000},{"durationMs":7776000000}]}},{"id":"eeb5dcf9-e898-46af-9c12-d91d97e13cd3","version":"KqlParameterItem/1.0","name":"Caller","type":2,"isRequired":true,"multiSelect":true,"quote":"'","delimiter":",","query":"AzureActivity\r\n| summarize by Caller","value":["value::all"],"typeSettings":{"additionalResourceOptions":["value::all"],"selectAllValue":"All"},"timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"},{"id":"46375a76-7ae1-4d7e-9082-4191531198a9","version":"KqlParameterItem/1.0","name":"ResourceGroup","type":2,"isRequired":true,"multiSelect":true,"quote":"'","delimiter":",","query":"AzureActivity\r\n| summarize by ResourceGroup","value":["value::all"],"typeSettings":{"resourceTypeFilter":{"microsoft.resources/resourcegroups":true},"additionalResourceOptions":["value::all"],"selectAllValue":"All"},"timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"}],"style":"pills","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces"},"name":"parameters - 2"},{"type":3,"content":{"version":"KqlItem/1.0","query":"let data = AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup});\r\ndata\r\n| summarize Count = count() by ResourceGroup\r\n| join kind = fullouter (datatable(ResourceGroup:string)['Medium', 'high', 'low']) on ResourceGroup\r\n| project ResourceGroup = iff(ResourceGroup == '', ResourceGroup1, ResourceGroup), Count = iff(ResourceGroup == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ResourceGroup)\r\n on ResourceGroup\r\n| project-away ResourceGroup1, TimeGenerated\r\n| extend ResourceGroups = ResourceGroup\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ResourceGroup = 'All', ResourceGroups = '*' \r\n)\r\n| order by Count desc\r\n| take 10","size":4,"exportToExcelOptions":"visible","title":"Top 10 active resource groups","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"tiles","tileSettings":{"titleContent":{"columnMatch":"ResourceGroup","formatter":1,"formatOptions":{"showIcon":true}},"leftContent":{"columnMatch":"Count","formatter":12,"formatOptions":{"palette":"auto","showIcon":true},"numberFormat":{"unit":17,"options":{"maximumSignificantDigits":3,"maximumFractionDigits":2}}},"secondaryContent":{"columnMatch":"Trend","formatter":9,"formatOptions":{"palette":"blueOrange","showIcon":true}},"showBorder":false}},"name":"query - 3"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n","size":0,"exportToExcelOptions":"visible","title":"Activities over time","color":"gray","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"linechart","graphSettings":{"type":0}},"name":"query - 1"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue hassuffix \"Delete\"), creations = countif(OperationNameValue hassuffix \"write\"), updates = countif(OperationNameValue hassuffix \"write\"), Activities = count() by Caller\r\n","size":1,"exportToExcelOptions":"visible","title":"Caller activities","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","gridSettings":{"formatters":[{"columnMatch":"Caller","formatter":0,"formatOptions":{"showIcon":true}},{"columnMatch":"deletions","formatter":4,"formatOptions":{"showIcon":true,"aggregation":"Count"}},{"columnMatch":"creations","formatter":4,"formatOptions":{"palette":"purple","showIcon":true,"aggregation":"Count"}},{"columnMatch":"updates","formatter":4,"formatOptions":{"palette":"gray","showIcon":true,"aggregation":"Count"}},{"columnMatch":"Activities","formatter":4,"formatOptions":{"palette":"greenDark","linkTarget":"GenericDetails","linkIsContextBlade":true,"showIcon":true,"aggregation":"Count","workbookContext":{"componentIdSource":"workbook","resourceIdsSource":"workbook","templateIdSource":"static","templateId":"https://go.microsoft.com/fwlink/?linkid=874159&resourceId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2FresourceGroups%2FSOC&featureName=Workbooks&itemId=%2Fsubscriptions%2F44e4eff8-1fcb-4a22-a7d6-992ac7286382%2Fresourcegroups%2Fsoc%2Fproviders%2Fmicrosoft.insights%2Fworkbooks%2F4c195aec-747f-40bb-addb-934acb3ec646&name=CiscoASA&func=NavigateToPortalFeature&type=workbook","typeSource":"workbook","gallerySource":"workbook"}}}],"sortBy":[{"itemKey":"$gen_bar_updates_3","sortOrder":2}]}},"name":"query - 1"},{"type":3,"content":{"version":"KqlItem/1.0","query":"AzureActivity \r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize Informational = countif(Level == \"Informational\"), Warning = countif(Level == \"Warning\"), Error = countif(Level == \"Error\") by bin_at(TimeGenerated, 1h, now())\r\n","size":0,"exportToExcelOptions":"visible","title":"Activities by log level over time","color":"redBright","timeContext":{"durationMs":0},"timeContextFromParameter":"TimeRange","queryType":0,"resourceType":"microsoft.operationalinsights/workspaces","visualization":"scatterchart","tileSettings":{"showBorder":false},"graphSettings":{"type":2,"topContent":{"columnMatch":"Error","formatter":12,"formatOptions":{"showIcon":true}},"hivesContent":{"columnMatch":"TimeGenerated","formatter":1,"formatOptions":{"showIcon":true}},"nodeIdField":"Error","sourceIdField":"Error","targetIdField":"Error","staticNodeSize":100,"groupByField":"TimeGenerated","hivesMargin":5}},"name":"query - 4"}],"fromTemplateId":"sentinel-AzureActivity","$schema":"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"}

                        EOF
                        , " ")
            sourceId = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg/providers/microsoft.OperationalInsights/Workspaces/public-cloud-law"                        
            tags = [
                "TERRAFORM"
            ]
            version = "1.0"
            }
            kind = "shared"                        
        })
    ignore_body_changes = ["properties.sourceId"]

}

resource "azapi_resource" "MT-52bfbd84-1639-480c-bda5-bfc87fd81832" {
    type = "Microsoft.SecurityInsights/metadata@2023-02-01-preview"
    name = "52bfbd84-1639-480c-bda5-bfc87fd81832"
    parent_id = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourcegroups/public-cloud-law-rg/providers/microsoft.operationalinsights/workspaces/public-cloud-law"
    body = jsonencode({
        properties = {
            author = {
                email = "support@microsoft.com"                            
                name = "Microsoft"
            }
            source = {
                kind = "Solution"
                name = "Azure Activity"
                sourceId = "azuresentinel.azure-sentinel-solution-azureactivity"
            }
            support = {
                email = "support@microsoft.com"
                link = "https://support.microsoft.com/"
                name = "Microsoft Corporation"
                tier = "Microsoft"
            }                        
            version = "2.0.0"                        
            kind = "Workbook"
            contentId = "AzureActivityWorkbook"
            dependencies = {"operator": "AND", "criteria": [{"contentId": "AzureActivity", "kind": "DataType"}, {"contentId": "AzureActivity", "kind": "DataConnector"}]}
            parentId = "/subscriptions/ff862bc9-2072-4c88-a58a-219a0fadb41b/resourceGroups/public-cloud-law-rg/providers/Microsoft.Insights/workbooks/52bfbd84-1639-480c-bda5-bfc87fd81832"   
    }
    })

    ignore_body_changes = ["properties.source"]                
    lifecycle {
        ignore_changes = [parent_id]                    
    }
}

parameter responsible for inserting description is contentId = "AzureActivityWorkbook". Description specified in azapi_resource has no effect. How do I customise Description? It doesn't have to me terraform, API would be ok too.

How it should look like: 1

Summary: How to modify workbook description using any method: terraform, API, manually.

v-sudkharat commented 6 months ago

Hi @bisskar, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 22-04-2024 . Thanks!

bisskar commented 6 months ago

Similar question asked in the past (the only topic related to this problem I could really find): https://techcommunity.microsoft.com/t5/microsoft-sentinel/workbook-logos-and-descriptions/m-p/2570122

Some more description regarding post above:

None of those contain parameters to modify the Workbook description. Metadata resource can change/add all of the different fields like Content source, Template version, Author, Supported by etc. Manually removing each field I discovered that parameter responsible for Description is contentId. While for OOB Templates this is some kind of link to templates/packageds f.e contentId = "AzureActivityWorkbook. For custom workbooks it is not clear what should be put there.

1

ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/2023-02-01-preview/metadata?pivots=deployment-language-bicep

I need some guidance how to insert Description using this or another way.

bisskar commented 6 months ago

Hi @bisskar, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 22-04-2024 . Thanks!

Hello, any news ?

v-sudkharat commented 6 months ago

Hey @bisskar, Sorry for delay in response. We are working on repro this issue from our end. will share update with you once investigation done from our end. Thanks!

bisskar commented 5 months ago

Hey @bisskar, Sorry for delay in response. We are working on repro this issue from our end. will share update with you once investigation done from our end. Thanks!

any news?

v-sudkharat commented 5 months ago

Hi @bisskar, After replication this issue, we are getting the same result for description which you posted above. so, to check on this we reached out to our concern team. Once we receive any update from our team, we will share with you. Thanks!

bisskar commented 5 months ago

Hi @bisskar, After replication this issue, we are getting the same result for description which you posted above. so, to check on this we reached out to our concern team. Once we receive any update from our team, we will share with you. Thanks!

Any news?

v-sudkharat commented 5 months ago

Hey @bisskar, still checking with respective team for this issue.

v-sudkharat commented 4 months ago

Hello @bisskar We appreciate your patience and would like to share update you that after consultation with our relevant team, it has been confirmed that the feature you requested is currently not available. Your request has been noted and added to our feature development queue. Unfortunately, we are unable to provide an ETA for this feature. So, closing this issue from GitHub. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation. Thank you.

bisskar commented 4 months ago

I guess workarround would be to create solution https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/README.md

Is it possible to create 'private' one?

v-sudkharat commented 4 months ago

Hey @bisskar, As mentioned in comment -https://github.com/Azure/Azure-Sentinel/issues/10318#issuecomment-2148984079, this issue taken up by respective team and they will take it up/ priorities to it. Currently we can't create 'private' one. Thanks!