KQL and Azure Monitor Workbooks you may find useful
This is repeated in a file (open the instructions file in RAW mode and download to see the screenshots), see instructions in the workbooks folder:
- If the file is in Github, select the [RAW] button, [Copy] the workbook file content (these are JSON files),
- Open Azure Monitor Workbooks (from portal.azure.com) - open the “empty” Azure Monitor Workbook, in “advanced edit” mode (press the </> icon ). [paste] over any json that exists.
or
- To install into Sentinel, create a New Workbook: Add-Workbook --> Edit --> then use Advanced Edit (press the </> icon) then [paste] over any json that exists.
- Then Press [apply] then [Done Editing]
Open Azure Monitor Workbooks
- In “advanced edit” mode (press the </> icon) - Choose "Gallery Template" for JSON file or ARM, then press the blue arrow (to the left of the [Apply] button) to download the file