This chapter covers Microsoft Sentinel security workbooks and dashboards, a core component of visualizing and analyzing security data in Azure. For the AZ-500 exam, workbooks appear in the 'Security Operations' domain (Objective 4.2) and are typically tested in 2-3% of questions, often in scenario-based items where you must choose the correct tool for a given monitoring requirement. We will dissect workbook architecture, creation, customization, and integration with other Sentinel features like analytics rules and hunting queries. By the end, you will understand not just what workbooks are, but how to design them for maximum operational value and how the exam tests your ability to differentiate workbooks from other visualization tools.
Jump to a section
Think of Microsoft Sentinel as a global security operations center (SOC) for your cloud environment. Security workbooks are like the interactive dashboards and status boards you see in a mission control room. Each workbook is a curated set of visualizations—charts, tables, and metrics—that answer specific questions: 'How many failed logins in the last hour?' or 'Which users have the highest alert count?' Under the hood, each tile in a workbook is a query against the Log Analytics workspace that stores your security data. When you open a workbook, it executes those queries (often using KQL) and renders the results as line charts, bar graphs, or data grids. You can drill down by clicking a data point, which runs a new query filtered to that specific value. The workbook is fully customizable: you can add parameters (like time range or user name) that act as dials, allowing you to adjust the view without rewriting queries. This is exactly how a mission control engineer flips switches to see different telemetry—except here, the switches are parameter dropdowns and the telemetry is your security logs. The workbook itself is an ARM template or a JSON definition, making it portable and deployable via CI/CD.
What Are Sentinel Workbooks?
Microsoft Sentinel workbooks are interactive, customizable dashboards that provide visual insights into your security data. They are built on top of Azure Monitor Workbooks, which use the same underlying technology. A workbook is essentially a collection of queries, visualizations, and parameters packaged into a single reusable artifact. Workbooks are defined as ARM templates (JSON) and can be saved, shared, and deployed across multiple workspaces.
Why Workbooks Exist
Sentinel ingests massive amounts of data from various sources—Azure Activity logs, Microsoft 365 Defender, Azure AD, firewalls, and custom logs. Raw data is stored in a Log Analytics workspace. Without visualization, it is nearly impossible to spot trends, anomalies, or patterns. Workbooks provide a way to surface key metrics and allow analysts to interactively explore data. They are designed for continuous monitoring, not ad-hoc analysis (which is better suited for Log Analytics queries or hunting).
How Workbooks Work Internally
Each workbook is composed of one or more steps. A step can be a: - Query step: Runs a KQL query against the Log Analytics workspace and displays results as a chart, grid, or tile. - Parameter step: Defines user-selectable inputs (e.g., time range, subscription, user name) that feed into queries. - Text step: Renders markdown or HTML for context, instructions, or headers. - Group step: Groups multiple steps together for logical organization.
When you open a workbook, it executes all query steps that are visible (based on parameters and conditions). Each query step has a defined time grain and visualization type (line chart, bar chart, table, etc.). The workbook uses the Azure Resource Manager (ARM) to retrieve data from the Log Analytics workspace via the query API. The results are cached briefly (default 60 seconds) to avoid redundant calls.
Key Components and Defaults
Time Range Parameter: Most workbooks include a time range parameter. Default is typically 'Last 24 hours'. This parameter is used in KQL queries via {TimeRange}.
Visualization Types: Line chart, bar chart, pie chart, time series, table, tile, graph (for entity relationships).
Parameters: Defined with name, type (text, dropdown, time range, etc.), and default value. Parameters can be static or dynamic (populated by a query).
Conditional Visibility: Steps can be conditionally shown or hidden based on parameter values. For example, show a detailed drill-down step only when a specific alert ID is selected.
ARM Template Structure: Workbooks are stored as JSON under the microsoft.insights/workbooks resource type. They can be deployed via Azure portal, PowerShell, CLI, or ARM templates.
Configuration and Verification Commands
To create a workbook via PowerShell:
New-AzResource -ResourceGroupName <RG> -ResourceType Microsoft.Insights/workbooks -ResourceName <WorkbookName> -Location <Location> -PropertyObject <JSON>To list workbooks via CLI:
az monitor workbook list --resource-group <RG>To get a workbook definition:
az monitor workbook show --resource-group <RG> --resource-name <WorkbookName>Interaction with Related Technologies
Workbooks integrate deeply with:
- Analytics Rules: You can create workbooks that display alerts generated by analytics rules. Use the SecurityAlert table.
- Hunting Queries: Workbooks can surface results from hunting queries, but hunting itself is a separate feature.
- Azure Monitor: Workbooks share the same engine as Azure Monitor workbooks. Sentinel workbooks are just Azure Monitor workbooks with Sentinel-specific queries.
- Playbooks: Workbooks cannot trigger playbooks directly, but they can link to playbooks or other resources.
- Workbooks vs. Dashboards: Azure Dashboards are different—they are pinned tiles from various Azure services, not interactive queries. Workbooks are more powerful for security analysis.
Creating a Sample Workbook
To create a workbook that shows failed logins over time:
1. In Sentinel, go to 'Workbooks' and click 'Add workbook'.
2. Add a parameter for time range: name TimeRange, type Time range, default Last 24 hours.
3. Add a query step:
SigninLogs
| where TimeGenerated {TimeRange}
| where ResultType == 50057
| summarize FailedLogins = count() by bin(TimeGenerated, 1h)
| render timechartSet visualization to 'Time chart'.
Save the workbook.
Advanced Features
Multi-Resource Queries: Use union across multiple workspaces if Sentinel is configured with cross-workspace queries.
Drill-Down: Add a table step that, when a row is clicked, runs a new query with the selected value as a parameter.
Custom Tiles: Use tile visualization to create KPI cards.
Export to Excel: Users can export the underlying data from a query step.
Performance Considerations
Workbooks query the Log Analytics workspace, which has a query execution timeout of 10 minutes (default). For large datasets, use time filters and aggregation to reduce data scanned. Workbooks can also use caching (set in the workbook settings) to avoid re-querying every time the workbook is refreshed. Default cache duration is 60 seconds, but you can set it up to 1 hour for static data.
Security and Permissions
To view or edit workbooks, users need: - Workbook Reader: Read access to the workbook resource. - Workbook Contributor: Can create and edit workbooks. - Underlying Log Analytics workspace access: The workbook queries the workspace, so the user must have at least 'Log Analytics Reader' on the workspace. If the workbook uses managed identity, the identity needs appropriate permissions.
Common Configuration Patterns
SOC Overview Dashboard: Combines multiple tiles showing total alerts, active incidents, top attackers, and geo-map of sign-ins.
Compliance Monitoring: Tracks MFA adoption, risky sign-ins, and conditional access failures.
Threat Intelligence: Displays indicators of compromise (IOCs) from threat intelligence feeds.
Troubleshooting
If a workbook shows no data:
Verify that the user has permissions to the Log Analytics workspace.
Check if the KQL query is correct and returns results in Log Analytics.
Ensure time range parameter is correctly passed to the query.
Look for syntax errors in the workbook JSON.
Exam-Relevant Details
Workbooks are built on Azure Monitor Workbooks.
They use KQL for queries.
They support parameters, conditional visibility, and drill-down.
They are stored as ARM resources.
They are not the same as Azure Dashboards or Power BI.
The exam may ask you to choose between workbooks, dashboards, or Power BI for a given scenario.
Define Monitoring Objectives
Before creating a workbook, identify the key security questions you need to answer. For example: 'How many failed logins per hour?', 'Which users have the most alerts?', or 'What is the trend of malware detections?'. This step determines the KQL queries and visualizations. In the exam, scenarios often describe a monitoring need, and you must recognize that a workbook is the appropriate tool.
Create a New Workbook
In the Azure portal, navigate to Microsoft Sentinel, select your workspace, and under 'Threat management', click 'Workbooks'. Then click 'Add workbook'. This creates a blank workbook. Alternatively, you can use a template from the gallery. The exam may test that workbooks are created from the Sentinel interface, not from Azure Monitor directly (though it's possible).
Add Parameters for Interactivity
Add a time range parameter to allow users to change the observation window. Parameters are defined in the workbook editor. They can be simple (text, dropdown) or complex (time range, resource picker). Parameters are referenced in KQL queries using curly braces, e.g., `{TimeRange}`. The exam might ask about parameter types or how to pass parameters to queries.
Write KQL Queries and Set Visualizations
Add a query step and write a KQL query that returns the data you need. For example, to count sign-ins by result type: `SigninLogs | summarize Count = count() by ResultType`. Then choose a visualization type: table, time chart, bar chart, etc. The exam expects you to know basic KQL and visualization options. Common wrong answer: using a table when a time chart is needed for trend analysis.
Configure Drill-Down and Conditional Visibility
To enable drill-down, set 'When item is selected' to open a new step or a link. For conditional visibility, use the 'Show this step only when' condition based on a parameter. For example, show a detailed alert step only when a user selects a specific incident ID. The exam might test drill-down as a way to provide deeper analysis without cluttering the main view.
Save and Share the Workbook
Save the workbook to the Sentinel workspace. It becomes available to users with appropriate permissions. You can also export the workbook as an ARM template for deployment via CI/CD. The exam may ask about sharing workbooks across workspaces or using ARM templates for version control.
Scenario 1: SOC Tier 1 Dashboard for a Large Enterprise
A global enterprise with 50,000 users deploys Sentinel to monitor Azure AD, Office 365, and endpoint logs. The SOC team needs a 'Day 1 Dashboard' that shows: total alerts in last 24h, top 10 alert rule names, top 5 users with failed logins, and a geo-map of sign-in locations. The workbook is built with four query steps: (1) SecurityAlert | summarize count() by AlertName (bar chart), (2) SigninLogs | where ResultType != 0 | summarize count() by UserPrincipalName | top 10 (table), (3) SigninLogs | where ResultType == 0 | summarize count() by bin(TimeGenerated,1h) (time chart), (4) geo-map using SigninLogs | where ResultType == 0 | project Location, UserPrincipalName. The workbook uses a time range parameter (default: 24h) and refreshes every 5 minutes. Performance is fine because queries are aggregated. A common misconfiguration is forgetting to add a time filter, causing the query to scan all data and timeout. The solution is to always include {TimeRange} in the query.
Scenario 2: Incident Response Drill-Down
A MSSP uses Sentinel to manage multiple customer workspaces. They create a workbook that lists all active incidents per customer. When an analyst clicks an incident ID, a drill-down step runs a query to show related alerts, entities, and bookmarks. The workbook uses a parameter for workspace selection (dynamic dropdown populated by workspace() function). The challenge is cross-workspace queries: the workbook must use union across workspaces or the analyst must have access to each workspace. The exam may test that drill-down is a workbook feature, not a feature of analytics rules.
Scenario 3: Compliance Monitoring for MFA Rollout
A company rolling out MFA wants to track adoption. They create a workbook that shows: percentage of users with MFA registered, number of risky sign-ins, and conditional access policy failures. Queries use AADUserRiskEvents and SigninLogs. The workbook includes a parameter to filter by department (populated from Azure AD). A common mistake is using Azure Dashboard instead of workbook; the exam distinguishes that dashboards are for pinning individual metrics, while workbooks are for interactive analysis. Another pitfall: not granting the workbook's managed identity access to the Log Analytics workspace, causing 'no data' errors.
What AZ-500 Tests on Workbooks
AZ-500 Objective 4.2: 'Create and manage security workbooks and dashboards in Microsoft Sentinel'. The exam focuses on:
Distinguishing between workbooks, Azure Dashboards, and Power BI.
Understanding that workbooks are built on Azure Monitor Workbooks.
Knowing that workbooks use KQL and support parameters and drill-down.
Recognizing that workbooks are saved as ARM resources.
Identifying appropriate scenarios for workbooks (e.g., interactive monitoring, trend analysis) vs. other tools.
Common Wrong Answers and Why
'Use an Azure Dashboard': Candidates choose this because they think dashboards are for monitoring. But Azure Dashboards pin static tiles from Azure services; they do not support interactive queries or drill-down. Workbooks are for dynamic, query-driven analysis.
'Use Power BI': Power BI is for enterprise BI, not real-time security monitoring. It requires additional licensing and is not natively integrated with Sentinel. Workbooks are built-in and lightweight.
'Create a Log Analytics query': Queries are ad-hoc; workbooks provide persistent, shareable visualizations. The exam expects you to choose workbooks for ongoing monitoring.
'Use a playbook': Playbooks automate responses; they do not visualize data.
Specific Numbers and Terms
'Azure Monitor Workbooks' is the underlying technology.
'Parameters' are defined with types like 'Time range', 'Text', 'Dropdown'.
'Drill-down' is a key interactive feature.
'ARM template' is the deployment format.
Default time range is often 'Last 24 hours'.
Cache duration default: 60 seconds.
Edge Cases and Exceptions
Workbooks can be pinned to Azure Dashboards, but that is not their primary purpose.
Workbooks can be shared across workspaces if they use cross-workspace queries, but the user needs permissions on all workspaces.
If a workbook shows no data, the most likely cause is permissions on the Log Analytics workspace.
Workbooks can be exported to Excel, but that is a user action, not a configuration.
How to Eliminate Wrong Answers
If the question asks for a tool to 'create an interactive, query-based dashboard for security monitoring', eliminate any answer that does not support KQL or parameters. Eliminate Azure Dashboard because it is not interactive. Eliminate Power BI because it is external and not native. Eliminate Log Analytics because it is not a persistent dashboard. The correct answer is always 'Microsoft Sentinel workbook' or 'Azure Monitor workbook'.
Workbooks are interactive, query-based dashboards built on Azure Monitor Workbooks.
Workbooks use KQL queries against Log Analytics workspaces.
Key features: parameters, drill-down, conditional visibility, and time range controls.
Workbooks are stored as ARM resources (Microsoft.Insights/workbooks).
Default time range parameter is typically 'Last 24 hours'.
Cache duration defaults to 60 seconds; can be increased for static data.
Workbooks require at least Log Analytics Reader permissions on the workspace.
Workbooks are not the same as Azure Dashboards or Power BI.
Pre-built workbook templates are available in Sentinel Gallery.
Workbooks can be exported and deployed via ARM templates.
These come up on the exam all the time. Here's how to tell them apart.
Sentinel Workbooks
Built on Azure Monitor Workbooks
Interactive: supports parameters, drill-down, conditional visibility
Uses KQL queries to fetch data
Designed for security monitoring and analysis
Stored as ARM templates; can be deployed via CI/CD
Azure Dashboards
Pins tiles from Azure services (metrics, logs, etc.)
Static: no interactive parameters or drill-down
Data is pre-configured; no ad-hoc queries
General-purpose dashboard for Azure resources
Stored as Azure resource; less portable
Mistake
Workbooks are the same as Azure Dashboards.
Correct
Azure Dashboards pin static tiles from Azure services and do not support interactive query parameters or drill-down. Workbooks are dynamic, query-driven, and built on Azure Monitor Workbooks.
Mistake
Workbooks require Power BI licensing.
Correct
Workbooks are included with Microsoft Sentinel and Azure Monitor at no additional cost. They use KQL, not Power BI.
Mistake
You can create workbooks only from the Sentinel interface.
Correct
Workbooks can be created from Azure Monitor Workbooks as well. They are the same technology. Sentinel simply provides a gallery of pre-built security workbooks.
Mistake
Workbooks can trigger automated responses.
Correct
Workbooks are read-only visualization tools. They cannot trigger playbooks or automation rules. Playbooks handle automated responses.
Mistake
Workbooks store data locally.
Correct
Workbooks do not store data; they query the Log Analytics workspace in real-time. Data is not copied into the workbook.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A Log Analytics query is an ad-hoc query that returns raw data. A workbook is a persistent, interactive dashboard that runs one or more queries and displays them as visualizations. Workbooks support parameters, drill-down, and conditional visibility, making them suitable for ongoing monitoring. Log Analytics queries are for one-time analysis.
Workbooks refresh data every time you open them or manually refresh. They are not real-time streaming; they query the Log Analytics workspace, which has a typical ingestion latency of a few minutes. For near-real-time monitoring, use analytics rules and incidents.
You cannot. The workbook queries the Log Analytics workspace, so the user must have at least Log Analytics Reader permissions on that workspace. You can use a managed identity for the workbook, but the identity still needs workspace access.
You can export the underlying data of a query step to Excel (CSV). There is no native PDF export. You can use browser print to PDF for the entire workbook view.
Workbooks themselves are free. You pay for the data ingested into Log Analytics and for query execution (data scanned). There is no additional cost for creating or using workbooks.
Yes, using cross-workspace queries with the `workspace()` function in KQL. For example: `union workspace('workspace1').SigninLogs, workspace('workspace2').SigninLogs`. The user needs access to both workspaces.
In the query step settings, under 'Advanced settings', set 'When item is selected' to 'Open a workbook step' or 'Open a link'. You can then define a new step that uses the selected value as a parameter.
You've just covered Sentinel Security Workbooks and Dashboards — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?