Commonly used Microsoft Sentinel workbooks
This article lists the most commonly used Microsoft Sentinel workbooks. Install the solution or standalone item that contains the workbook from the Content hub in Microsoft Sentinel. Get the workbook from the Content hub by selecting Manage on the solution or standalone item. Or, in Microsoft Sentinel under Threat Management, go to Workbooks and search for the workbook you want to use. For more information, see Visualize and monitor your data.
We recommend you deploy any workbooks associated with the data you ingest into Microsoft Sentinel. Workbooks allow for broader monitoring and investigating based on your collected data. For more information, see Microsoft Sentinel data connectors and Discover and manage Microsoft Sentinel out-of-the-box content.
Commonly used workbooks
The following table includes workbooks we recommend and the solution or standalone item from the Content hub that contains the workbook.
Workbook name | Description | Content hub title |
---|---|---|
Analytics Health & Audit | Provides visibility on the health and audit of your analytics rules. Find out whether an analytics rule is running as expected and get a list of changes made to an analytic rule. For more information, see Monitor the health and audit the integrity of your analytics rules. |
Analytics Health & Audit |
Azure Activity | Provides extensive insight into your organization's Azure activity by analyzing and correlating all user operations and events. For more information, see Auditing with Azure Activity logs. |
Azure Activity |
Azure Security Benchmark | Provides visibility for the security posture of cloud workloads. View log queries, Azure resource graph, and policies aligned to Azure Security Benchmark controls across Microsoft security offerings, Azure, Microsoft 365, 3rd party, on-premises, and multicloud workloads. For more information, see our TechCommunity blog. |
Azure Security Benchmark |
Cybersecurity Maturity Model Certification (CMMC) | Provides a way to view log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Microsoft 365, Microsoft Teams, Intune, Azure Virtual Desktop, and more. For more information, see our TechCommunity blog. |
Cybersecurity Maturity Model Certification (CMMC) 2.0 |
Data collection health monitoring | Provides insights into your workspace's data ingestion status, such as ingestion size, latency, and number of logs per source. Monitors and detect anomalies to help you determine your workspaces data collection health. For more information, see Monitor the health of your data connectors with this Microsoft Sentinel workbook. |
Data collection health monitoring |
Event Analyzer | Explore, audit, and speed up Windows Event Log analysis. Includes all event details and attributes, such as security, application, system, setup, directory service, DNS, and more. | Windows Security Events |
Identity & Access | Provides insight into identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products. | Windows Security Events |
Incident Overview | Designed to help with triage and investigation by providing in-depth information about an incident, including general information, entity data, triage time, mitigation time, and comments. For more information, see The Toolkit for Data-Driven SOCs. |
SOC Handbook |
Investigation Insights | Provides analysts with insight into incident, bookmark, and entity data. Common queries and detailed visualizations can help analysts investigate suspicious activities. | SOC Handbook |
Microsoft Defender for Cloud Apps - discovery logs | Provides details about the cloud apps that are used in your organization, and insights from usage trends and drill-down data for specific users and applications. For more information, see Microsoft Defender for Cloud Apps connector for Microsoft Sentinel. |
Microsoft Defender for Cloud Apps |
Microsoft Entra Audit Logs | Uses the audit logs to gather insights around Microsoft Entra ID scenarios. Learn about user operations, including password and group management, device activities, and top active users and apps. For more information, see Quickstart: Get started with Microsoft Sentinel. |
Microsoft Entra ID |
Microsoft Entra Sign-in logs | Provides insights to sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, failed activities, and the errors that triggered the failures. | Microsoft Entra ID |
MITRE ATT&CK Workbook | Provides details about MITRE ATT&CK coverage for Microsoft Sentinel. | SOC Handbook |
Office 365 | Provides insights into Office 365 by tracing and analyzing all operations and activities. Drill down into SharePoint, OneDrive, Teams, and Exchange data. | Microsoft 365 |
Security Alerts | Provides a Security Alerts dashboard for alerts in your Microsoft Sentinel environment. For more information, see Automatically create incidents from Microsoft security alerts. |
SOC Handbook |
Security Operations Efficiency | Intended for security operations center (SOC) managers to view overall efficiency metrics and measures regarding the performance of their team. For more information, see Manage your SOC better with incident metrics. |
SOC Handbook |
Threat Intelligence | Provides insights into threat indicators ingestion. Search for indicators at scale across Microsoft 1st party, 3rd party, on-premises, hybrid, and multicloud workloads. For more information, see Understand threat intelligence in Microsoft Sentinel and our TechCommunity blog. |
Threat Intelligence |
Workspace Usage Report | Provides insights into your workspace's usage. View your workspace’s data consumption, latency, recommended tasks, and cost and usage statistics. | Workspace Usage Report |
Zero Trust (TIC3.0) | Provides an automated visualization of Zero Trust principles, cross-walked to the Trusted Internet Connections framework. For more information, see the Zero Trust (TIC 3.0) workbook announcement blog. |
Zero Trust (TIC 3.0) |