Closed gardnerjr closed 4 years ago
also FYI, your first link in the workbooks readme links to jupyter notebooks, not azure workbooks. close but not quite :D
Hi @gardnerjr , many thanks for your comments and suggestions. I've opened two issues to address your specific points. I'll look into issue #11 at some point next week. Alternatively if you want to submit a pull request we'll happily accept the contribution.
Throughout your template in https://github.com/BlueTeamLabs/sentinel-attack/tree/master/hunting/workbooks, you have this:
in each query step.
if the user is already opening workbooks from inside sentinel, the workspace to query should already be "set" in the workbook's resources (in edit mode, click the gear icon in the toolbar, on the resources tab you should see a workspace already listed there). If that's the case, query steps of the workbook will "inherit" that resource automatically, it doesn't need to be explicitly listed in each step.
also, in the advanced editor, if you scroll all the way to the bottom in this state, there should be a couple properties like
If that is the case, then the extra
crossResourceIds
section listing the workspace in every step is only there as an "override" from the default resources. so hypothetically, you can remove all of thecrossComponentResources
settings from the whole template you have, and just pasting it like it is should keep the window'sdefaultResourceIds
intact and all the query steps would inherit that default workspace. That should just work without having to do a lot of replacements.(if that doesn't work, the instructions chould probably say to copy the defaultResourceIds section from the bottom of the advanced editor when it opens into your template, and paste that back into the advanced editor).
I'm working with the Sentinel team on trying to clear up some of how they're doing the workbooks, so that this is a little simpler for everyone.