Monitoring Microsoft Sentinel Reports with Dashboard Hub & Power BI

In this blog post, we will cover how to efficiently monitor Microsoft Sentinel workbooks through the Dashboard Hub and create custom reports using Power BI.

Microsoft Sentinel provides a variety of pre-built workbooks that are essential for visualizing data and improving operational efficiency. Given the large number of workbooks available in the content hub solution, organizing them into dashboards makes it easy for stakeholders to access data relevant to their specific interests.

At this point, you’ve probably decided which workbooks you want to save and identified the stakeholders who need access to those specific workbooks for their day-to-day tasks.

Now let’s look at the solution.

You can “pin” workbooks you’re interested in to a dashboard. These dashboards can be private or shared.

Private dashboards are accessible only to you.
Shared dashboards are Azure resources stored in resource groups. Role-based access control determines who can access shared dashboards.

For our use case, let’s focus on shared dashboards.

As you can see below, you can click on “Pin” and select the shared dashboard you want to pin the workbook to. If no shared dashboards are available, you can click on the “Create New” tab to create a new shared dashboard that will be hosted in the resource group.

In my case, I already have a shared dashboard created for SecOps monitoring.

To access the shared dashboard, go to Dashboard Hub > Shared Dashboards. You can pin multiple workbooks to the shared dashboard. It is recommended that you configure the auto-refresh interval as desired. RBAC controls determine who can access this dashboard, so you can define permissions accordingly.

With this approach, you don’t have to go to Microsoft Sentinel > Workbooks > Search to find the workbook you’re interested in and then view the data. You can pin the relevant workbook to your dashboard and view it right in the dashboard hub.

Let’s look at another use case where we’ll create a Power BI report from Microsoft Sentinel data.

Power BI reports can be created with KQL logic. You can create Power BI reports on data from Microsoft Sentinel and share those reports with people who don’t have access to Microsoft Sentinel. I’m going to create a Power BI report to look at the Syslog table data, where I’m interested in the ProcessName column.

Prerequisites:

You will need at least read access to the Microsoft Sentinel workspace.
A Power BI account with read access to the Microsoft Sentinel workspace.
Power BI desktop app.

Here are the detailed steps:

Go to Microsoft Sentinel > Logs
Write and run a KQL query to suit your needs. In my case, it’s simple.

System Log

| Summarize count() with ProcessName.

Click Export > Power BI (as M Query).

Copy the contents of a file.
Open Power BI Desktop and sign in with a user account that has at least read access to the Microsoft Sentinel workspace.
In the Home section, click “Blank Report”.

Click Get Data > Blank Query.

In the Power Query Editor, select Advanced Editor.
Remove the pre-written content, paste the contents of the PowerBIQuery.txt file, and then click Done.
You may be prompted to authenticate. Click Edit Credentials and log in.

Click Close & Apply.
Now you can create visualizations like table, pie chart etc. in the visualization options. In my case, I will use table and donut chart to visualize my data.

Click Publish and select the workspace where you want to publish the report. In my case, I created a custom workspace where I want to publish the report for SOC monitoring.

Once the report is published successfully, you will be able to log in. https://powerbi.com/ Then select the workspace where you want to find the report. You will need to have access to the report.