How To Create Workbooks


Overview

Workbooks are an elegant way to schedule alerts without the hassle of writing the same queries in the “Search” segment again and again. It is very helpful to automate queries as per use cases.

Now, let’s see how we can create a workbook in our DNIF Console:

Procedure

1. First, click on the “Management” tab on the top left corner of the console, as shown in the screenshot below:

image

2. We can also click on the “More” option, which we get while using the “Search” tab for our queries.

image

3. You should be able to see a sub-menu i.e. a drop down. Click on the option named “Repository”, as shown in the screenshot below:

image

4. After we click on the “Repository” tab, we shall get this view:

image

5. Time to create our first “Workbook”! Click on the ‘+’ button at the top right corner. From the drop down menu, select the option “Workbook”, as shown in the screenshot below:

image

6. Now, we are greeted with the “New Workbook” Template, as shown in the screenshot below:

image

7. Fill up the details in the visible sections, namely:

  • Name: In this section we should enter the name or identifier with which we would like to identify this workbook. For now, let’s name it “Sample Workbook”
  • Status: Choose between “active” or “inactive” to enable or disable the workbook as per the use case or requirements. The workbook is set to “active” by default.
  • Description: In this section, enter any text that summarizes the workbook and its purpose. For our example, we have filled the description section with “This is a sample workbook for demo purpose.”
  • Reference: In this section, enter any text with the purpose of identifying this workbook in a simple glance from the repository view.
  • Choose Tags: In this section, we have the option to enter relevant tags or words for easy categorization of the workbook. In our example we have entered “XSS”

8. You can either click on the “Save” button at the bottom of the page or click on the button “Add New Query” to continue building your workbook. For this example, we have just entered the following query which gives the “WEBSERVER” logs within the last 1 hour and sends the result to an email address.

    _fetch * from event where $Duration=6h AND $LogType=WEBSERVER  limit 10
    >>_trigger notify_email [email protected]

9. So now, our “Workbook Template” looks as shown in the screenshot below:

image

10. Now for the final section named “Cron”. This section enables us to schedule the query to run at specific time intervals. In order to enter values in this section, they need to be in a specific format. If you are familiar with ways to schedule “Cron” jobs, then this is going to be a breeze for you! You could also take help from the website Crontab Guru which is an awesome website that helps create “Cron” values with ease.

image

11. With the assistance of Crontab Guru, we have scheduled the timer to trigger at 5 PM daily. We need to simply copy-paste the values in our “Cron” section to set the timer and click on “Save”.

Voila!!! We have successfully created our first workbook and the same can be seen in the “Repository View”.