5: Workbooks Flashcards
(14 cards)
What is a workbook in Microsoft Sentinel?
An interactive, customizable dashboard that visualizes data from your logs using charts, tables, KPIs, and other visuals.
Where do you access workbooks in Sentinel?
Microsoft Sentinel > [Workspace] > Workbooks
What are workbooks used for?
Monitoring, investigation, reporting, and high-level visibility across your environment.
What kinds of visuals can workbooks display?
Line graphs, pie charts, tables, KPIs, heatmaps, bar graphs, and more.
Can you create your own workbooks?
Yes, using KQL queries and drag-and-drop configuration.
Can workbooks be customized?
Yes. You can edit, filter, clone, or modify them to match your mission set, enclave, or role.
What kind of data can be shown in a workbook?
Any data stored in Log Analytics—alerts, sign-ins, audit logs, network activity, threat intel, etc.
What’s the difference between a workbook and a dashboard?
Workbooks are dynamic and built from KQL queries; dashboards are more static and pin individual tiles.
Why are workbooks useful to customers?
They give real-time insight into trends, anomalies, and health across tools and enclaves, and support both analyst workflows and executive reporting.
Can I use workbooks for executive summaries?
Yes. You can build high-level overviews with KPIs, alert trends, and visuals tailored for leadership.
Do data connectors come with prebuilt workbooks?
Often yes—especially for Defender, Azure AD, Office 365, and common log sources.
What’s a use case for workbook heatmaps?
Visualizing login attempts by country or IP to identify geographic anomalies or access attempts from unfamiliar locations.
What’s the advantage of trend-over-time visuals in a workbook?
They help spot unusual spikes, drops, or emerging patterns in activity or alert volume.
Can you filter workbook data by host, user, time, or product?
Yes. Workbooks are highly filterable to support focused investigation or enclave-specific views.
