Lesson 8 — Microsoft Sentinel Workbooks and Dashboards
Data connectors bring telemetry into Microsoft Sentinel, but raw data alone is not enough.
Security teams need clear operational views that help them understand incidents, trends, connector health, detection coverage and investigation priorities.
Microsoft Sentinel workbooks turn KQL queries and security data into interactive dashboards for SOC analysts, engineers, managers and incident responders.
What you will learn
This lesson explains how workbooks help analysts visualise Sentinel data and build practical SOC dashboards.
Learning objectives
After completing this lesson, you should understand how Sentinel workbooks support SOC visibility.
- Explain what a Microsoft Sentinel workbook is.
- Understand how workbooks use KQL and Log Analytics data.
- Recognise the difference between dashboards, incidents and reports.
- Identify useful SOC workbook use cases.
- Understand how workbooks support investigation, monitoring and communication.
The problem this solves
Security teams often have the data they need, but not the visibility they need.
Workbooks solve this by presenting security data in useful dashboards that help analysts and managers understand what is happening across the environment.
What is a Microsoft Sentinel workbook?
A Microsoft Sentinel workbook is an interactive dashboard built from queries, visualisations, parameters and text. Workbooks can display Sentinel data such as incidents, alerts, connector activity, sign-in trends, security events and hunting results.
A workbook should not just look impressive. It should help someone make a better security decision.
How workbooks fit into Sentinel operations
Workbooks sit between raw telemetry and operational reporting. They help turn tables and queries into views a SOC can use.
Workbooks are not incidents
An incident is an investigation case. A workbook is a visual and analytical view of data.
Analysts may use a workbook to understand trends or identify suspicious activity, but the workbook itself is not the incident.
Workbooks are not analytics rules
An analytics rule creates detections, alerts and incidents.
A workbook visualises data. It may use similar KQL logic, but its job is to help people see and understand patterns, not automatically create incidents.
Common SOC workbook uses
Useful Sentinel workbooks often focus on operational questions.
- How many incidents were created this week?
- Which severity levels are increasing?
- Are data connectors still sending telemetry?
- Which users or devices appear repeatedly?
- Which detections are generating the most noise?
Parameters
Parameters allow a workbook user to change the view without editing the KQL query directly.
For example, a workbook may include parameters for time range, user, severity, incident status, table or data source.
Charts and tables
Workbooks can show data as tables, charts, counters and other visual elements.
Choose the visual that matches the question. A trend over time works well as a chart, while investigation evidence may work better as a table.
Text and guidance
Good workbooks include explanatory text, not just charts.
Guidance helps analysts understand what the workbook shows, what filters mean and what they should check next.
Example workbook ideas
| Workbook | Purpose |
|---|---|
| Incident overview | Shows incident count, severity, status, owner and trends over time. |
| Connector health | Highlights missing data, ingestion gaps and important connector changes. |
| Identity activity | Shows risky sign-ins, failed logons, locations and user activity patterns. |
| Detection coverage | Maps analytics rules, tactics, data sources and active detections. |
| Executive security summary | Provides high-level trends for non-technical stakeholders. |
Real-world example
A SOC manager wants to know whether phishing incidents are increasing and whether analysts are closing them quickly.
A workbook can show phishing incidents by week, severity, owner, status and average time to closure. That view helps the team identify workload, trends and response gaps.
Connector visibility example
After enabling data connectors, a workbook can help show whether the expected data is arriving.
This is especially useful when onboarding firewalls, Syslog sources, Azure logs or third-party platforms.
Common mistake
A common mistake is building a beautiful workbook that no one uses.
Every workbook should have a clear audience and a clear purpose. If it does not help someone investigate, monitor or report, simplify it.
Agent Foskett investigation tip
Do not start with, "What chart can I make?" Start with, "What does the SOC need to understand faster?" Then build the workbook around that question.
What to document
Every production workbook should be easy to understand and maintain.
- Workbook purpose
- Audience
- Required data sources
- Important parameters
- Known limitations
- Owner or maintainer
Agent Foskett takeaway
Analytics rules create detections.
Incidents create investigation cases.
Workbooks help the SOC understand patterns, trends and operational performance.
Related Agent Foskett learning
Continue learning
Microsoft Sentinel Workbooks and Dashboards
Microsoft Sentinel workbooks use KQL queries and Log Analytics data to build dashboards for incidents, alerts, connector health, security trends, detection coverage, threat hunting and SOC reporting.
Microsoft Sentinel Lesson 8
This Agent Foskett Microsoft Sentinel Academy lesson explains workbooks, dashboards, KQL visualisation, workbook parameters, SOC reporting, incident trends, connector health and operational security dashboards.
