You can make and change Azure Sentinel Workbooks in the Azure Portal. These help you see security data with easy-to-read reports. Workbooks let you watch for insider risks and find threats. You can also use them to check supply chain security and follow rules. Many security teams use dashboards for sign-in logs and alerts. They also use them to work better every day. Before you start, make sure you have the right permissions. You should also look at the setup first. This guide shows you every step. It covers how to move around, build, change, save, and share.

• Common use cases for Azure Sentinel Workbooks:

  • Insider risk detection

  • Threat detection and response

  • Supply chain monitoring

  • Compliance and audit readiness

  • SOC analyst support

Key Takeaways

• Azure Sentinel Workbooks let you make easy security reports. You can use templates or make your own designs.

• Check that you have the right permissions and setup before you start.

• Use Kusto Query Language (KQL) to add and sort data. This helps you make dashboards that are quick and helpful.

• Change your workbook with pictures, layouts, and filters. This makes the data simple to see and understand.

• Save your workbooks and share them with your team. This helps everyone watch for problems and respond faster.

Prerequisites

Permissions

You need the right permissions before you make workbooks in Azure Sentinel. The Microsoft Sentinel Contributor role lets you do everything with workbooks. You can also use a smaller Sentinel role with the Workbook Contributor role. These roles can be set for a resource group or workspace. Role-based access control helps you choose who can change workbooks.

• The Microsoft Sentinel Contributor role lets you make and change workbooks.

• The Workbook Contributor role lets you work with workbooks if you do not have full access.

• Set roles at the resource group or workspace level to keep things safe.

Tip: Always check your permissions first. This stops mistakes when you save or share workbooks.

Sentinel Setup

You must set up Azure Sentinel before making workbooks. Make sure you have these things:

• A Microsoft Entra ID license and tenant or an account with a way to pay.

• An active Azure subscription to keep track of resources and costs.

• A Log Analytics workspace with no locks and the right pricing.

• Contributor role on the subscription and Sentinel roles on the resource group.

• A special resource group for Sentinel resources. This makes it easier to manage permissions.

• Set data retention in your Log Analytics workspace to 90 days for all Sentinel features.

Note: Using a special resource group and keeping data longer helps your security team do better and keeps your data safe.

Supported Browsers

You need a web browser that works with Azure Sentinel Workbooks. Microsoft says to use Microsoft Edge. This browser gives you new features, security updates, and help. Some old browsers may not work with all workbook tools.

If you use Microsoft Edge, you will have fewer problems and get the best results with Azure Sentinel Workbooks.

Accessing Azure Sentinel Workbooks

Select Workspace

To start working with Azure Sentinel Workbooks, you need to choose the right workspace in the Azure portal. This workspace stores your security data and dashboards. Follow these steps to select your workspace:

1. Log into the Azure portal with your account.

2. In the left menu, search for Microsoft Sentinel under All services.

3. Pick Microsoft Sentinel from the list.

4. You will see a list of available workspaces. Choose the workspace you want to use. If you do not have one, you can create a new Log Analytics workspace and link it to Sentinel.

5. After you select your workspace, you can move on to the next step.

Tip: Always double-check that you are in the correct workspace. This helps you keep your data organized and makes sure you do not lose your work.

Open Workbooks Tab

Once you have selected your workspace, you can find the Workbooks tab. This tab lets you view, create, and manage your dashboards. Here is how you can find it:

1. Inside your chosen Microsoft Sentinel workspace, look at the menu on the left side.

2. Scroll down to the Threat management section.

3. Click on the Workbooks tab. This tab sits with other important sections like Data Connectors.

4. The Workbooks tab shows you a list of available dashboards. You can open an existing workbook or start a new one.

You now have access to Azure Sentinel Workbooks. You can use these tools to build custom reports and track security events in your environment.

Create Workbook

Making a workbook in Azure Sentinel helps you see your security data. You can pick a built-in template or start with a blank workbook. Each way has its own good points. You will also learn how to add data queries with Kusto Query Language (KQL).

Use Template

Using a built-in template saves you time. These templates are already made and tested. They follow best practices and give you dashboards you can use right away. You can change them to fit what you need. Templates help you start fast and avoid mistakes. You do not have to build everything yourself.

Tip: Templates are great if you want a quick solution or want to use a workflow that works well.

To use a template:

1. Go to the Workbooks tab in your Sentinel workspace.

2. Look through the list of templates.

3. Pick a template that fits your needs, like sign-in logs or threat detection.

4. Click "Save" or "Edit" to start changing the template for your environment.

Start Blank

You can also make a blank workbook. This lets you control the design and data. You build each part on your own. This is best if you have special needs or want a dashboard that is different.

To make a blank workbook:

1. In the Workbooks tab, click "New" to open a blank workbook.

2. Pick the Log Analytics workspace you want.

3. Add new sections, visuals, and queries as you need.

4. If you want a custom layout from GitHub, copy the JSON code and paste it into the workbook editor.

You can change every detail for your organization. You choose what data to show and how to show it.

Add Data Queries

Workbooks use Kusto Query Language (KQL) to get data from different places. You can query logs, metrics, and other data to make your reports. KQL lets you filter, sort, and show data in many ways.

Here are some common data sources you can query in Azure Sentinel Workbooks:

When you write KQL queries, you should use best practices to keep your workbook fast and easy to use.
Here are some tips for writing good KQL queries:

1. Use the where clause to filter data early.

2. Use filters that narrow down results.

3. Limit rows with the take operator.

4. Pick only the columns you need with project.

5. Use summarize to group data and make it smaller.

6. Join tables if you need to combine data.

7. Sort results with order by.

8. Remove duplicates with distinct.

9. Be careful with case sensitivity in table names.

Note: Doing these steps helps you handle big datasets and keeps your workbook working well.

Now you can make custom dashboards and reports in Azure Sentinel Workbooks. You choose what data to show and how to show it. This helps your security team find threats and keep track of important events.

Customize Azure Sentinel Workbooks

Customizing Azure Sentinel Workbooks helps you turn raw data into clear, interactive dashboards. You can add visuals, change the layout, and use filters to make your reports easy to read and useful for your team.

Add Visuals

You can add many types of visuals to your workbook. These visuals help you see trends, spot problems, and share insights with others. To start, switch your workbook to edit mode. Then, follow these steps:

1. Select the Add query option to insert a new data control.

2. Choose the query type, such as Logs or Azure Resource Graph.

3. Pick the resource type, like Application Insights or Log Analytics.

4. Enter your Kusto Query Language (KQL) query to get the data you want.

5. Select a visualization type. You can pick from line, bar, area, pie, scatter, or time charts.

6. Adjust the chart’s size, color palette, and legend. You can also set chart titles and messages for when no data appears.

7. Use the Settings tab to change axes, units, formatting, grouping, and series colors.

8. In the Series Settings tab, you can rename series and pick custom colors.

Tip: Try different chart types to see which one shows your data best. For example, use a pie chart for parts of a whole or a line chart for trends over time.

Here is a table that shows some key parameters you can set for your visuals:

You can also add tables to show raw data. Tables let you sort, filter, and drill down into details. Use tables when you want to see exact values or compare many items.

Edit Layout

You can change the layout of your workbook to make it easy to read. Start by adding sections to group related visuals. Move visuals up or down to put the most important charts at the top. You can also resize charts and tables to fit your screen.

• Drag and drop visuals to arrange them in the order you want.

• Use text blocks to add titles or notes between visuals.

• Split your workbook into sections for different topics, such as sign-in logs or alerts.

• Adjust the width of visuals to show more or less detail.

Note: A clear layout helps your team find information quickly. Group similar visuals together and use headings to guide readers.

Apply Filters

Filters help you focus on the data that matters most. You can add filters to your workbook so users can pick what they want to see. For example, you can let users filter by time range, resource, or alert type.

To add a filter:

1. In edit mode, select Add parameter.

2. Choose the filter type, such as dropdown, text, or time picker.

3. Link the filter to your KQL queries using parameters.

4. Test the filter to make sure it changes the visuals as expected.

Filters make your Azure Sentinel Workbooks interactive. Users can explore data by changing filter values. This helps you answer questions fast and spot trends or issues.

Tip: Use filters to let users drill down into specific time periods, resources, or event types. This makes your dashboards more flexible and useful.

With these customization steps, you can build powerful and interactive dashboards in Azure Sentinel Workbooks. Your team will find it easier to monitor security, respond to threats, and make smart decisions.

Save and Share

Save Workbook

You need to save your work to keep your custom dashboards and reports. Saving a workbook in the Azure portal is simple. Follow these steps:

1. Open or create your workbook in the Azure portal. 2. Select the Save button at the top. 3. Enter details like the workbook title, subscription, resource group, and location. 4. If you want, you can save the workbook content to your own Azure Storage account. This step needs a managed identity. 5. Click Save again to finish.

Tip: Give your workbook a clear name. This helps your team find it later.

Share with Team

Sharing your workbook lets your team see the same data and insights. You can share Azure Sentinel Workbooks in a few ways:

1. Open the workbook you want to share.

2. Select the share button to get a link labeled "Share a link to this report."

3. Send this link to your team. Each person must have an Azure account and the right permissions to view it.

4. You can also share the link by email.

Another way to share is by exporting the workbook as a JSON template. Your team can import this file into their own environment.

Here is a table showing what each role can do with workbooks:

Only the Sentinel Contributor role can create or edit workbooks. Make sure your team has the right access.

Export Options

You can export your workbook to share it outside your team or publish it for others. To export, open the Advanced editor and copy the JSON template. Save this file on your computer. You can upload it to a GitHub repository or share it with others to import.

If you want to publish your workbook for your whole organization, you need to upload it to the Microsoft Sentinel GitHub repository. Add preview images and metadata. After approval, your workbook can appear in the Azure Marketplace and the content hub. This lets many people use your solution.

Exporting and publishing help you share your work with a wider audience and support your organization’s security goals.

You now know how to make and change dashboards. Interactive reports help your team find threats fast. They also help you sort alerts and look at details.

• You can pick a template or make your own dashboard.

• Workbooks let you sort, group, and show data from different places.

• You can get more templates on GitHub and check the Azure Sentinel Wiki for ideas from others.

Try using more features and share your dashboards with your team to help keep things safe.

FAQ

How do you update a workbook after saving it?

First, open the workbook in edit mode. Make any changes you want. Click Save when you finish. Everyone with access will see your updates.

Can you copy a workbook to another workspace?

Yes, you can export the workbook as a JSON file. Use the Advanced Editor to import it into another workspace.

What happens if you delete a workbook?

Deleting a workbook removes it from the workspace. You cannot get it back unless you have a backup or exported JSON file.

Do you need coding skills to use Azure Sentinel Workbooks?

You do not need to know how to code. Templates and simple queries are easy to use. Learning basic KQL helps you make better dashboards.

Can you schedule workbook reports to send by email?

Azure Sentinel Workbooks do not send scheduled email reports by themselves. You can export data or use Logic Apps to send reports automatically.