This chapter covers Microsoft Sentinel Threat Maps and Security Dashboards, key tools for visualizing and analyzing security data in Azure. For the AZ-500 exam, understanding how to configure and use these visualizations is critical for the Security Operations domain, which makes up about 25-30% of exam questions. You will be tested on creating custom dashboards using KQL, interpreting threat maps, and integrating with workbooks. This chapter provides the deep technical knowledge needed to answer scenario-based questions accurately.
Jump to a section
Imagine a global weather radar system that monitors storms across the entire planet. Each radar station (like a Sentinel data connector) reports local weather data—rainfall, wind speed, lightning strikes—to a central processing center. The center aggregates this data into a real-time global map showing where storms are forming, their intensity, and their movement. A meteorologist can view this map to see a hurricane developing off the coast, zoom in to see lightning strikes in a specific city, or filter to show only tornado warnings. Similarly, Microsoft Sentinel Threat Maps collect security alerts from all connected data sources (Azure, Microsoft 365, third-party firewalls, etc.) and visualize them on a world map. Each alert is a 'storm cell' with a location (IP geolocation), severity (intensity), and timestamp. The map uses color coding—red for critical, yellow for medium—just like radar uses red for heavy precipitation. An analyst can filter by time range, source type, or severity to focus on specific threats. The underlying mapping engine uses Azure Maps and Kusto queries to plot alerts based on IP geolocation, showing the geographic origin of attacks. Just as radar helps predict where a storm will hit next, Sentinel threat maps help predict attack patterns by showing concentration of malicious traffic from certain regions.
What Are Sentinel Threat Maps and Security Dashboards?
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. Threat Maps and Security Dashboards are visualization components that help security analysts quickly identify patterns, anomalies, and potential threats across the environment.
Threat Maps: Geospatial visualizations that plot security alerts on a world map based on the geographic location of the source IP address. They allow analysts to see where attacks are originating geographically.
Security Dashboards: Customizable views that aggregate data from multiple sources into charts, graphs, and tables. These are built using Azure Workbooks, which are based on Kusto Query Language (KQL) queries.
How Threat Maps Work Internally
Threat Maps rely on IP geolocation data. When Sentinel ingests a security alert, it extracts the source IP address (or destination IP, depending on configuration). This IP is then enriched with geolocation information using the Azure Maps service or third-party geolocation databases. The mapping engine in Sentinel uses this enriched data to plot points on a map. The process:
Data Ingestion: Logs from various sources (Azure Activity, Microsoft Defender for Cloud, third-party firewalls) are collected by Sentinel data connectors.
Alert Generation: Analytics rules (built-in or custom) process the logs and generate alerts when suspicious activity is detected.
Geolocation Enrichment: During alert generation, Sentinel queries the IP address against a geolocation database. This is done automatically for built-in rules; custom rules may require explicit enrichment using the geolocation() function in KQL.
Map Rendering: The alert data, including latitude, longitude, and severity, is sent to the map visualization component. The map uses Azure Maps tiles to render the background and overlays alert markers.
Key Components of Threat Maps
- Data Source: Any log source that includes IP addresses (e.g., AzureFirewallLogs, SecurityEvent, SigninLogs).
- Analytics Rule: Must generate alerts with IP address fields. Built-in rules like 'Malicious IP address detected' automatically populate the map.
- Geolocation Function: geolocation() in KQL returns latitude, longitude, country, state, city, and ASN for a given IP.
- Map Visualization: Available in Workbooks as a 'Map' tile. Configuration options include:
- Latitude/Longitude fields: Must be numeric.
- Size metric: Determines marker size (e.g., count of alerts).
- Color metric: Determines marker color (e.g., severity).
- Zoom levels: Default is auto-fit; can be set to specific level.
- Time range: Default is last 24 hours; configurable.
Security Dashboards: Azure Workbooks
Security Dashboards in Sentinel are essentially Azure Workbooks. They are composed of tiles (queries) that display data in various formats: tables, charts (bar, line, pie), and maps. Each tile runs a KQL query against the Sentinel workspace.
- Workbook Template: Sentinel comes with several built-in templates, such as 'Azure Security Center Insights', 'Identity & Access', and 'Threat Intelligence'. These can be customized. - Custom Workbook: Create from scratch or edit a template. Steps: 1. In Sentinel, go to 'Workbooks'. 2. Click 'Add workbook' or open an existing one and click 'Edit'. 3. Add a new query tile: select data source (Log Analytics workspace), write KQL query. 4. Choose visualization type: Map, Time chart, Bar chart, etc. 5. Configure parameters (time range, subscriptions) for interactivity. 6. Save and publish.
KQL Queries for Threat Maps and Dashboards
To create a threat map, you typically need a query that returns geographic coordinates. Example:
SecurityAlert
| where TimeGenerated > ago(7d)
| extend Geo = geolocation(SourceIPAddress)
| where Geo is not null
| project Timestamp = TimeGenerated, SourceIPAddress, AlertName, Severity, Geo.latitude, Geo.longitude, Geo.country
| take 1000For a dashboard showing failed sign-ins by country:
SigninLogs
| where ResultType == "50057" // User account is disabled
| extend Geo = geolocation(IPAddress)
| where Geo is not null
| summarize FailedSignins = count() by Geo.country
| render piechartInteractivity and Parameters
Workbooks support parameters that allow users to filter data (e.g., by time range, subscription, or severity). Parameters are defined at the top of the workbook and can be linked to queries. For example, a time range parameter:
let TimeRange = dynamic({TimeRange:timespan});
SecurityAlert
| where TimeGenerated > ago(TimeRange)Performance Considerations
Data Volume: Threat maps can be slow if querying over large time ranges (e.g., >30 days) or millions of alerts. Use time filters and aggregations.
Geolocation Function: geolocation() is resource-intensive. Cache results where possible.
Map Tile Limits: Azure Maps has a limit of 10,000 markers per map. Use clustering or filtering to stay within limits.
Integration with Other Sentinel Features
Incidents: Threat maps can be linked to incidents. Clicking a marker can drill into related incidents.
Playbooks: Automated responses can be triggered from dashboards using buttons (custom actions).
Hunting: Dashboards can be used for proactive hunting by creating queries that look for anomalies.
Default Values and Timers
Time Range Default: 24 hours for built-in threat maps.
Refresh Interval: Workbooks auto-refresh every 5 minutes by default.
Alert Deduplication: Sentinel deduplicates alerts within 24 hours by default (configurable in analytics rules).
Troubleshooting
No data on map: Check that geolocation function returns non-null values. Ensure IP addresses are public (private IPs like 10.x.x.x return null).
Map not rendering: Verify that the workbook is in 'edit' mode and the query returns latitude/longitude columns.
Slow performance: Reduce time range, add filters, or use materialized views.
Security Considerations
Data Privacy: Geolocation data may be considered personal data. Ensure compliance with GDPR or other regulations.
Access Control: Use Azure RBAC to restrict who can view/edit workbooks. Sentinel Reader role can view, Sentinel Contributor can edit.
Exam Relevance
AZ-500 expects you to know:
How to create a custom workbook with a map visualization.
The KQL functions for geolocation (geolocation()) and time filtering.
The difference between built-in and custom analytics rules.
How to use parameters to make dashboards interactive.
The limitations (10,000 markers, private IPs not geolocated).
Enable Sentinel Data Connectors
First, ensure that the relevant data connectors are enabled in Microsoft Sentinel. Go to 'Data connectors' and enable connectors like 'Azure Activity', 'Azure Security Center', 'Microsoft 365 Defender', and third-party sources (e.g., Palo Alto Networks). Each connector ingests logs into the Log Analytics workspace. Without these connectors, there will be no data to visualize. Verify connector status: green indicates healthy, red indicates disconnected. For exam scenarios, remember that some connectors require additional licensing (e.g., Microsoft 365 E5 for Defender).
Create Analytics Rules to Generate Alerts
Analytics rules process incoming logs and generate alerts when suspicious activity is detected. Built-in rules are available under 'Analytics' > 'Rule templates'. For threat maps, use rules that produce alerts with IP addresses, such as 'Malicious IP address detected'. Custom rules can be written in KQL. Example: create a rule that triggers when a sign-in occurs from a known malicious IP. The rule must include the 'Alert Details' section with 'Source IP' mapped to the alert's SourceIPAddress field. Without alerts, the threat map will be empty.
Define a Threat Map in a Workbook
Navigate to 'Threat management' > 'Workbooks' in Sentinel. Click 'Add workbook' or open an existing one and click 'Edit'. Add a new query tile. Write a KQL query that selects alerts and enriches them with geolocation data. Use the `geolocation()` function on the IP address. Ensure the query outputs fields like `latitude` and `longitude` as numeric types. Then set the visualization to 'Map'. Configure the map settings: Latitude field, Longitude field, Size metric (e.g., count of alerts), Color metric (e.g., severity). Save the workbook.
Configure Interactive Parameters
To allow users to filter data, add parameters to the workbook. Click 'Add parameter' and define a name (e.g., `TimeRange`), type (e.g., `timepicker`), and default value (e.g., `last 24 hours`). In the query tile, reference the parameter using curly braces: `let TimeRange = dynamic({TimeRange:timespan});`. Then use `TimeRange` in the where clause. This enables dynamic filtering without editing the query. Parameters can also be linked to other tiles, so changing one parameter updates all dependent tiles.
Test and Publish the Dashboard
Before publishing, test the workbook by adjusting time ranges and filters. Ensure the map renders correctly with markers. Check that clicking a marker shows alert details. If the map is empty, verify the query returns data by running it in the Log Analytics query editor. Common issues: private IPs (geolocation returns null), insufficient permissions, or incorrect field mapping. Once satisfied, click 'Save' and then 'Publish' to make it available to other users. Published workbooks appear under 'My workbooks' or 'Community workbooks' depending on sharing settings.
Scenario 1: Global Attack Origin Analysis
A multinational corporation uses Sentinel to monitor attacks across its Azure and on-premises infrastructure. They deploy a threat map workbook that plots all failed authentication attempts (from Azure AD SigninLogs and Windows Security Events) on a world map. The map uses color-coded markers: red for brute-force attacks, yellow for suspicious IPs. The SOC team uses this to identify regions with high attack volumes. They notice a spike from a specific country and create a custom analytics rule to block all traffic from that country's IP range at the Azure Firewall. The map is configured with a time range parameter (last 7 days) and auto-refreshes every 5 minutes. Performance is acceptable with ~50,000 alerts per day; they use clustering to avoid marker overload. A misconfiguration—using the wrong IP field (destination IP instead of source)—caused the map to show internal Azure IPs, which geolocation returns null. After correcting to SourceIPAddress, the map worked correctly.
Scenario 2: Incident Response Dashboard for SOC
A managed security service provider (MSSP) builds a comprehensive security dashboard for its clients. The dashboard includes multiple tiles: a threat map showing active incidents, a bar chart of top alert types, a time chart of alerts over the last 24 hours, and a table of recent incidents. The dashboard uses parameters for client subscription and time range. Each tile is linked to the same parameters, so a SOC analyst can quickly switch between clients. The threat map uses the geolocation() function on the IP address from the SecurityIncident table (which includes alert data). They discovered that the SecurityIncident table does not always contain IP addresses; they had to join with SecurityAlert or use the ExtendedProperties field. This required a more complex KQL query. The dashboard is shared via Azure RBAC: analysts have Reader role, engineers have Contributor role. A common mistake is forgetting to set the Size metric to a numeric field, causing the map to show uniform markers.
Scenario 3: Hunting for Lateral Movement
A financial institution uses Sentinel to detect lateral movement. They create a custom workbook that maps outbound connections from compromised VMs. The threat map shows destination IPs plotted geographically. They use a KQL query that joins VMConnection logs with SecurityAlert to highlight connections from VMs with active alerts. The map uses marker size to indicate connection frequency. They set a threshold: if a single IP appears more than 100 times in an hour, it triggers a playbook that automatically blocks the IP. Performance issues arose when querying over 30 days; they optimized by using a materialized view that pre-aggregates connection counts by IP and hour. The exam may test this optimization technique.
AZ-500 Exam Focus on Sentinel Threat Maps and Security Dashboards
AZ-500 objective 4.2: 'Configure and manage security monitoring and automation solutions' includes creating custom dashboards and interpreting threat maps. Exam questions typically present a scenario where you must choose the correct KQL query, visualization type, or configuration step.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'Power BI' instead of 'Workbooks': Candidates see 'dashboard' and think Power BI, but Sentinel dashboards are Azure Workbooks, not Power BI. Power BI can integrate but is not native.
Using `extend` instead of `project` for geolocation fields: Many forget that geolocation() returns a dynamic object; they try to use it directly in a chart without extracting latitude and longitude. The exam expects you to use extend Geo = geolocation(IP) then project Geo.latitude, Geo.longitude.
Selecting 'Alert' instead of 'Incident' for threat maps: Threat maps typically show alerts, not incidents. Incidents are groups of alerts. The exam may ask: 'Which data source should you use?' Answer: SecurityAlert table.
Ignoring time range parameters: Questions about interactive dashboards often require parameters. A common distractor is to hardcode the time range in the query, but the correct answer is to use a workbook parameter.
Specific Numbers and Values to Memorize
10,000 markers: Maximum markers on an Azure Maps tile.
5 minutes: Default auto-refresh interval for workbooks.
24 hours: Default time range for built-in threat maps.
`geolocation()`: KQL function for IP geolocation. Returns null for private IPs.
`SecurityAlert`: Table used for alerts; SecurityIncident for incidents.
Edge Cases and Exceptions
Private IPs: geolocation() returns null for private (RFC 1918) IPs. The exam may test that you know to filter out private IPs or use a different enrichment method.
IPv6: geolocation() supports IPv6, but not all geolocation databases are accurate. The exam may mention limitations.
Empty map: If the query returns no rows, the map shows nothing. Common cause: wrong field name or missing data connector.
How to Eliminate Wrong Answers
If the question mentions 'interactive filtering', look for 'parameters' in the answer.
If the question asks for 'geographic visualization', the answer must involve geolocation() and a map tile.
If the question is about 'sharing', remember Azure RBAC roles: Reader for view, Contributor for edit.
If the question mentions 'real-time', look for 'auto-refresh' settings (5 min default).
Threat maps visualize security alerts on a world map using IP geolocation via the `geolocation()` KQL function.
Security Dashboards in Sentinel are Azure Workbooks, not Power BI dashboards.
The `SecurityAlert` table is the primary source for threat map data; `SecurityIncident` is for incident grouping.
Private IPs (RFC 1918) return null for `geolocation()` and cannot be plotted on threat maps.
Azure Maps marker limit is 10,000 per map; use clustering or filtering for larger datasets.
Workbook parameters enable interactive filtering; default refresh interval is 5 minutes.
To create a threat map, you must have data connectors enabled and analytics rules generating alerts with IP addresses.
Common exam wrong answer: choosing Power BI over Workbooks for Sentinel dashboards.
These come up on the exam all the time. Here's how to tell them apart.
Built-in Threat Map Template
Pre-configured with common queries.
Limited customization options.
Uses default time range (24h).
No parameter support.
Quick to deploy without KQL knowledge.
Custom Threat Map Workbook
Fully customizable with KQL.
Can add parameters for interactivity.
Supports any time range.
Can combine multiple data sources.
Requires KQL expertise.
Mistake
Threat maps show live attacks in real-time.
Correct
Threat maps are based on alerts generated by analytics rules, which have some latency (typically minutes). They are near-real-time, not real-time. The default refresh is every 5 minutes.
Mistake
You can use any IP address in geolocation, including private IPs.
Correct
The `geolocation()` function returns null for private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback addresses. Only public IPs can be geolocated.
Mistake
Sentinel dashboards are the same as Azure Monitor dashboards.
Correct
Sentinel dashboards are Azure Workbooks, which are different from Azure Monitor dashboards. Workbooks support more interactive features and are designed for security analysis. Monitor dashboards are more general-purpose.
Mistake
Threat maps can only show source IP locations.
Correct
Threat maps can show both source and destination IP locations, depending on the fields you select in the query. You can map attacker IPs (source) or targeted IPs (destination).
Mistake
You must have Azure Maps enabled to use threat maps.
Correct
Threat maps use Azure Maps under the hood, but you do not need to separately enable or pay for Azure Maps. It is included in the Sentinel service.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To create a threat map, go to Sentinel > Workbooks > Add workbook > Edit. Add a new query tile and write a KQL query that selects alerts and enriches them with geolocation using the `geolocation()` function. Ensure the query outputs latitude and longitude fields. Set visualization to 'Map' and map the fields. Configure size and color metrics. Save and publish.
The `geolocation()` function is used. Example: `extend Geo = geolocation(SourceIPAddress) | project Geo.latitude, Geo.longitude`. It returns a dynamic object with latitude, longitude, country, etc. Returns null for private IPs.
Yes, but it requires joining with the SecurityAlert table because the SecurityIncident table does not directly contain IP addresses. You would join on IncidentId and use the alert's IP fields. The exam typically expects you to use SecurityAlert for threat maps.
Common causes: (1) No data connectors enabled, (2) Analytics rules not generating alerts, (3) Using private IPs (geolocation returns null), (4) Incorrect field mapping (e.g., using string instead of numeric for lat/long), (5) Query returns no rows due to time filter. Check each step.
Add a workbook parameter of type 'timepicker'. In your query, reference it using `let TimeRange = dynamic({TimeRange:timespan});` and use `where TimeGenerated > ago(TimeRange)`. This allows users to select a time range from the dropdown.
They are the same underlying technology (Azure Workbooks), but Sentinel Workbooks are pre-configured for security use cases. Sentinel provides built-in workbook templates that use security-related KQL queries. Both use the same editor and features.
Yes, you can export a workbook to PDF by clicking the '...' menu on the workbook and selecting 'Export to PDF'. This captures the current state of the workbook, including the map and other visualizations.
You've just covered Sentinel Threat Maps and Security Dashboards — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?