This chapter covers Microsoft Sentinel workbooks, a core feature for visualizing and analyzing security data through customizable, interactive dashboards. Workbooks are essential for SOC analysts to monitor threats, investigate incidents, and create reports. On the SC-200 exam, approximately 10-15% of questions relate to workbooks, focusing on their creation, configuration, and integration with other Sentinel features. Mastering workbooks will help you efficiently answer questions about data visualization, KQL queries, and workbook parameters.
Jump to a section
Think of Microsoft Sentinel workbooks as a customizable mission control center for a spacecraft. The raw telemetry (logs) streams in from various sensors (data sources) and is stored in a central database (Log Analytics workspace). A workbook is like a set of configurable screens that display specific telemetry parameters using gauges, charts, and tables. Just as a mission controller can drag and drop widgets onto a dashboard to monitor fuel levels, temperature, and trajectory, a security analyst can add queries, visualizations, and text to a workbook to track failed logins, malware detections, or unusual network traffic. The workbook is powered by KQL queries that fetch and transform data in real-time, similar to how each dashboard widget pulls live sensor data. Workbooks can be saved, shared, and pinned to Azure dashboards, just as mission control templates can be reused for different spacecraft. Parameters and interactive controls allow analysts to filter time ranges or select specific entities, akin to toggling between different telemetry views. The entire workbook is rendered using Azure Monitor Workbooks framework, which provides a rich set of visualization tools and supports advanced interactivity through steps and parameters.
What Are Microsoft Sentinel Workbooks?
Microsoft Sentinel workbooks are interactive, customizable dashboards built on top of Azure Monitor Workbooks. They allow security analysts to visualize data from Log Analytics workspaces using Kusto Query Language (KQL) queries. Workbooks can combine text, charts, tables, and other visual elements to present security insights, track trends, and enable drill-down analysis.
Why Workbooks Exist
Workbooks address the need for a flexible, reusable visualization layer in SIEM operations. Unlike static reports, workbooks support interactivity—parameters, filters, and drill-throughs—enabling analysts to explore data dynamically. They serve multiple purposes: monitoring (e.g., daily failed login trends), investigation (e.g., user activity timelines), and reporting (e.g., compliance dashboards). Workbooks can be saved, shared, and pinned to Azure dashboards, facilitating collaboration within SOC teams.
How Workbooks Work Internally
Workbooks are defined as JSON templates that contain a series of steps. Each step can be a query (KQL), a visualization (chart, table, map), text (Markdown), or parameters. When a workbook is opened, it executes the queries against the Log Analytics workspace and renders the results in the specified visualizations. Parameters allow users to filter data across steps dynamically. The workbook framework handles caching and refreshing based on the defined time range.
Key Components
Steps: Building blocks of a workbook. Each step has a type: query, text, parameter, or group. Steps can reference each other via parameters.
Parameters: Controls like dropdowns, time ranges, or text inputs that allow users to filter workbook data. Parameters are defined at the workbook level and can be used in queries.
Visualizations: Supported types include tables, charts (bar, line, pie), maps, and tiles. Visualizations are configured via the query step's settings.
Time Range: Default is last 24 hours, but can be customized per step or via a parameter.
Data Source: Only Log Analytics workspaces (the Sentinel workspace) are supported. No other data sources like Azure Data Explorer are available.
Pinning: Workbook visualizations can be pinned to Azure dashboards for persistent monitoring.
Defaults and Timers
Time Range: Default is 24 hours, but can be set to custom (e.g., 7 days).
Auto-refresh: Not automatic; users must manually refresh or set a refresh interval via Azure dashboard pinning (default 5 minutes for pinned tiles).
Query timeout: Each query step has a 3-minute timeout.
Parameter default values: Specified in the parameter definition; if not set, the parameter is blank.
Configuration and Verification
To create a workbook: 1. In Sentinel, navigate to Threat Management > Workbooks. 2. Click "Add workbook" or use a template from the gallery. 3. Use the visual editor or edit the JSON template directly. 4. Add a query step: select data source (Log Analytics), write KQL, choose visualization type. 5. Add parameters: define name, type (e.g., dropdown), and source (e.g., query for values). 6. Save the workbook.
Verification commands: Use KQL in the query step to test data retrieval. Example:
SecurityEvent
| where TimeGenerated > ago(24h)
| summarize Count = count() by Account
| top 10 by CountInteraction with Related Technologies
Azure Monitor Workbooks: Sentinel workbooks are built on this framework, inheriting all features like parameters, steps, and pinning.
Log Analytics Workspace: All queries run against the Sentinel workspace. Changes to the workspace schema (e.g., custom tables) affect workbook queries.
KQL: Proficiency in KQL is required to create effective workbooks. Common functions include summarize, where, project, and render.
Azure Dashboards: Pinned workbook tiles support auto-refresh, but the workbook itself does not auto-refresh.
Workbook Templates: Pre-built workbooks provided by Microsoft or community. They can be customized and saved as new workbooks.
Advanced Features
Parameters with multiple selections: Use multi-select parameter type to filter on multiple values.
Cross-workspace queries: Using the union operator with workspace identifiers (requires appropriate permissions).
Drill-through: Create links from a visualization to another workbook or external resource using the link parameter.
Conditional visibility: Show/hide steps based on parameter values using the isHidden property in JSON.
Export to Excel: Users can export table data to Excel from the toolbar.
Limitations
No real-time streaming; queries run on stored data.
No built-in scheduling; use Azure Dashboard pinning for periodic refresh.
Complex JSON editing required for advanced interactivity (e.g., conditional visibility).
Maximum of 50 steps per workbook.
Each query step can return up to 10,000 rows.
Best Practices
Use parameters to avoid hardcoding filters.
Leverage workbook templates as starting points.
Test KQL queries in Log Analytics before adding to workbook.
Use groups to organize steps logically.
Limit the number of steps to maintain performance.
Use time range parameters to allow flexible analysis.
Exam-Relevant Details
The SC-200 exam tests the ability to create and configure workbooks, including adding parameters and queries.
Know the difference between workbook types: gallery templates vs. custom workbooks.
Understand that workbooks support only Log Analytics as data source.
Recognize that parameters can be linked to queries to populate dropdown values.
Remember that workbooks can be pinned to Azure dashboards for persistent monitoring.
Be aware of the 3-minute query timeout and 10,000 row limit.
Identify Use Case
Determine what security question the workbook should answer. For example, monitoring failed logins over time. This step involves scoping the data sources (e.g., SecurityEvent table) and the desired visualizations (e.g., time chart). The use case drives the KQL query structure and parameter design.
Create New Workbook
In Microsoft Sentinel, navigate to Threat Management > Workbooks and click 'Add workbook'. Alternatively, start from a template by selecting one from the gallery and clicking 'View template'. This opens the workbook editor with a blank canvas or pre-configured steps.
Add Parameters
Click 'Add parameters' to create interactive controls. Define parameter name (e.g., TimeRange), type (e.g., Time range picker), and default value. For dropdowns sourced from a query, select 'Query' as source and write a KQL query to populate options. Parameters appear at the top of the workbook.
Add Query Step
Click 'Add' and select 'Add query'. Choose Log Analytics as data source. Write the KQL query using the parameter values (e.g., `where TimeGenerated {TimeRange}`). Select visualization type (e.g., Time chart, Bar chart, Table). Configure advanced settings like grid formatting or chart colors.
Add Text Step
Add Markdown text to provide context or instructions. Click 'Add' and select 'Add text'. Write content using Markdown syntax (e.g., headers, lists, links). This step can be used to label sections or explain findings.
Scenario 1: SOC Daily Incident Monitoring
A large enterprise SOC uses a workbook to track daily security incidents. The workbook is pinned to an Azure dashboard displayed on a wall monitor. It shows a time chart of incidents by severity, a table of top 10 alert types, and a map of attack origins. Parameters allow analysts to filter by date range and severity. The workbook queries the SecurityAlert table. Performance is acceptable because the time range is limited to 7 days. Misconfiguration: If the query does not use a time filter, it scans the entire table, causing timeouts. Best practice: always include a time range parameter.
Scenario 2: User Investigation Workbook
A security analyst frequently investigates compromised accounts. They use a workbook with parameters for username and time range. The workbook displays a timeline of user activities (logins, alert triggers, Azure AD sign-ins) and a table of recent security events. The workbook uses cross-table queries joining SigninLogs and SecurityEvent. Common issue: parameters are not bound to queries correctly, resulting in blank visualizations. Solution: verify parameter names match the KQL variable syntax {ParameterName}.
Scenario 3: Compliance Reporting
A compliance officer needs monthly reports on failed logins per department. A workbook with a parameter for month and department (populated from a query) generates a bar chart and table. The workbook is exported to Excel for distribution. Challenge: the workbook does not support scheduling; the officer must manually refresh and export. Mitigation: pin the workbook to an Azure dashboard and use Power BI for automated reporting. Misconfiguration: using a time range parameter that defaults to 24 hours, causing incomplete monthly data. Fix: set default to 30 days.
What SC-200 Tests
Objective 2.1: Create and manage Microsoft Sentinel workbooks. The exam expects you to know how to create a workbook from a template, add parameters, write KQL queries, and configure visualizations.
Common question types: 'Which step should you add to filter data by user?', 'What is the default time range for a workbook?', 'How do you create a dropdown parameter populated from a query?'
Most Common Wrong Answers
Choosing 'Add parameter' from the wrong location: Candidates think parameters are added from the query step settings. Reality: parameters are added via the 'Add parameters' button at the workbook level, not per step.
Selecting a non-Log Analytics data source: The exam may offer options like Azure Data Explorer or Application Insights. Only Log Analytics is valid for Sentinel workbooks.
Assuming workbooks auto-refresh: Candidates think workbooks refresh automatically. Reality: only pinned tiles to Azure dashboards auto-refresh (every 5 minutes). The workbook itself requires manual refresh.
Confusing workbook templates with saved workbooks: Templates are read-only; you must save a copy to customize. The exam may ask about saving a template as a new workbook.
Specific Numbers and Terms
Default time range: 24 hours.
Query timeout: 3 minutes.
Maximum rows per query: 10,000.
Maximum steps: 50.
Parameter types: Text, Number, Boolean, Drop down, Time range picker.
Visualization types: Table, Chart (Bar, Line, Pie, Area), Map, Tile, Text.
Data source: Log Analytics workspace (only).
Edge Cases
Parameters with default values that are not used in queries: The parameter will still appear but has no effect.
Cross-workspace queries require the workspace identifier in the query (e.g., union Workspace('workspaceId').SecurityEvent). The exam may test whether this syntax is correct.
When a query returns no data, the visualization shows empty or 'No data' message. This is expected behavior.
How to Eliminate Wrong Answers
If an answer mentions a data source other than Log Analytics, eliminate it.
If an answer suggests that workbooks auto-refresh without pinning, eliminate it.
If an answer proposes adding a parameter inside a query step, it is wrong because parameters are added at workbook level.
For questions about populating a dropdown, look for the option that uses a query as the source, not a static list.
Workbooks are built on Azure Monitor Workbooks framework.
Data source is always the Log Analytics workspace linked to Sentinel.
Parameters allow dynamic filtering and are defined at workbook level.
Default time range is 24 hours; can be overridden by a parameter.
Query timeout is 3 minutes; max rows returned is 10,000.
Workbooks do not auto-refresh; pin to Azure dashboard for periodic refresh.
Templates are read-only; save a copy to customize.
KQL queries use `{ParameterName}` to reference parameters.
Supported visualizations: table, chart, map, tile, text.
Maximum steps per workbook: 50.
These come up on the exam all the time. Here's how to tell them apart.
Workbook Templates
Pre-built by Microsoft or community
Read-only; must be saved as a copy to edit
Available in the workbook gallery
Quick to deploy for common scenarios
May not fit exact requirements
Custom Workbooks
Created from scratch or customized from template
Fully editable; saved as a new workbook
Created via 'Add workbook' button
Tailored to specific use cases
Requires KQL and JSON knowledge
Mistake
Workbooks can use any Azure data source like Application Insights or Azure Data Explorer.
Correct
Sentinel workbooks only support Log Analytics workspaces as the data source. Other data sources are not available.
Mistake
Workbooks automatically refresh data every 5 minutes.
Correct
Workbooks do not auto-refresh. Only when pinned to an Azure dashboard do tiles refresh every 5 minutes. The workbook itself requires manual refresh.
Mistake
Parameters can only be defined within a query step.
Correct
Parameters are defined at the workbook level using the 'Add parameters' button, not within individual query steps. They are then referenced in queries using `{ParameterName}`.
Mistake
You can create a workbook directly from the Log Analytics workspace.
Correct
Workbooks are created and managed within Microsoft Sentinel under Threat Management > Workbooks, not directly from Log Analytics.
Mistake
The maximum number of rows a query can return is unlimited.
Correct
Each query step in a workbook returns a maximum of 10,000 rows. Use `take` or `limit` to control results.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the workbook editor, click 'Add parameters'. Define a parameter with type 'Drop down'. For the source, choose 'Query' to populate the dropdown from a KQL query (e.g., `SecurityEvent | distinct Account`). Set the default value as needed. Then in your query steps, reference the parameter using `{ParameterName}`. This allows users to select an account and filter the workbook data accordingly.
No, workbooks do not support scheduling. However, you can pin a workbook visualization to an Azure dashboard, which will refresh every 5 minutes. For automated reporting, export workbook data to Excel or use Power BI with a scheduled refresh from Log Analytics.
A workbook template is a pre-built, read-only workbook provided by Microsoft or the community. You can view it and save a copy as a new workbook, which then becomes editable. A custom workbook is created from scratch or from a saved template and can be fully customized.
Common causes: the time range is too narrow, the parameter filter is excluding all results, the table name is incorrect, or the workspace has no data for the specified query. Check the query in Log Analytics first, ensure parameters are correctly referenced with `{ParameterName}`, and verify the time range covers the expected data.
Yes, using the `union` operator with the workspace identifier. For example: `union Workspace('workspaceId').SecurityEvent`. The user must have read permissions on the target workspace. This is useful for combining data from multiple Sentinel workspaces.
Add a time range parameter with the desired default (e.g., 'Last 7 days'). Then in each query step, use the parameter in the `where` clause (e.g., `where TimeGenerated {TimeRange}`). If no parameter is used, the default time range is 24 hours, which can be changed in the query step settings under 'Time range'.
Supported visualizations include Table, Chart (Bar, Line, Pie, Area), Map, Tile, and Text. You can also use custom visualizations via JSON. Visualizations are configured in the query step's 'Visualization' dropdown.
You've just covered Microsoft Sentinel Workbooks — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?