Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Building Your Own Potential Malicious Events Heatmap for Microsoft Sentinel
Copy link
Facebook
Email
Notes
More

Building Your Own Potential Malicious Events Heatmap for Microsoft Sentinel

Malicious rhymes with Delicious

Rod Trent
Jan 09, 2023
1

Share this post

Rod’s Blog
Rod’s Blog
Building Your Own Potential Malicious Events Heatmap for Microsoft Sentinel
Copy link
Facebook
Email
Notes
More
Share

With the new entry point actively rolling out to Microsoft Sentinel environments (see: There’s a New Microsoft Sentinel Entry Page in Town), some organizations are wishing they could at least retain the heatmap from the original console layout. According to most, the rest of the new UI is valuable and likeable, but the heatmap is sorely missed.

To be honest, it wasn’t used as much as you might think. I believe it was used more for showcasing Sentinel to customers than utilized as an active mechanism.

But, if you’re one of those organizations that can’t live without, you can create your own.

If you don’t want to mess with creating it yourself, or would simply like the module to add it to an existing Workbook, or you’d like to get straight to tweaking it, here’s the code for the Workbook module: https://rodtrent.com/xt8

If, on the other hand, you’re up for learning how this works and mucking around in the guts of the Azure Monitor Workbooks, do the following:

[1] Create a new Workbook in Microsoft Sentinel and open it in Edit mode.

[2] Add a new “Add query” module to the Workbook.

[3] Grab the query from https://rodtrent.com/2s0, insert it into the query window, and then change the Visualization to Map.

[4] Finally, adjust the Map Settings to match the settings shown in the following image. Need a larger image view? Just click on it.

Now, this is not exactly exactly like the original, but this should provide a starting point.

There might be some further adjustments to be made but have fun with it. For example, you might want to add a time range selector or try to match more closely with the original with the Outbound and Inbound or Unknown data points. Let me know if you find something that needs fixed, but definitely let me know what you do with it. I would love to see some awesome creations.

For many of you, here’s a last look at the original…

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

1

Share this post

Rod’s Blog
Rod’s Blog
Building Your Own Potential Malicious Events Heatmap for Microsoft Sentinel
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More