Create rich, interactive reports of Defender for Cloud data

Azure Monitor Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.

Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed examples of each visualization type, see the visualizations examples and documentation.

Within Microsoft Defender for Cloud, you can access the built-in workbooks to track your organization’s security posture. You can also build custom workbooks to view a wide range of data from Defender for Cloud or other supported data sources.

Secure score over time workbook.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Free
Required roles and permissions: To save workbooks, you must have at least Workbook Contributor permissions on the target resource group
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

With the integrated Azure Workbooks functionality, Microsoft Defender for Cloud makes it straightforward to build your own custom, interactive workbooks. Defender for Cloud also includes a gallery with the following workbooks ready for your customization:

  • 'Secure Score Over Time' workbook - Track your subscriptions' scores and changes to recommendations for your resources
  • 'System Updates' workbook - View missing system updates by resources, OS, severity, and more
  • 'Vulnerability Assessment Findings' workbook - View the findings of vulnerability scans of your Azure resources
  • 'Compliance Over Time' workbook - View the status of a subscription's compliance with the regulatory or industry standards you've selected
  • 'Active Alerts' workbook - View active alerts by severity, type, tag, MITRE ATT&CK tactics, and location.
  • Price Estimation workbook - View monthly consolidated price estimations for Microsoft Defender for Cloud plans based on the resource telemetry in your own environment. These numbers are estimates based on retail prices and do not provide actual billing data.
  • Governance workbook - The governance report in the governance rules settings lets you track progress of the rules effective in the organization.

In addition to the built-in workbooks, you can also find other useful workbooks found under the “Community" category, which are provided as is with no SLA or support. Choose one of the supplied workbooks or create your own.

Screenshot showing the gallery of built-in workbooks in Microsoft Defender for Cloud.

Tip

Use the Edit button to customize any of the supplied workbooks to your satisfaction. When you're done editing, select Save and your changes will be saved to a new workbook.

Editing the supplied workbooks to customize them for your particular needs.

Use the 'Secure Score Over Time' workbook

This workbook uses secure score data from your Log Analytics workspace. That data needs to be exported from the continuous export tool as described in Configure continuous export from the Defender for Cloud pages in Azure portal.

When you set up the continuous export, set the export frequency to both streaming updates and snapshots.

For the secure score over time workbook you'll need to select both of these options from the export frequency settings in your continuous export configuration.

Note

Snapshots get exported weekly, so you'll need to wait at least one week for the first snapshot to be exported before you can view data in this workbook.

Tip

To configure continuous export across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies described in Configure continuous export at scale.

The secure score over time workbook has five graphs for the subscriptions reporting to the selected workspaces:

Graph Example
Score trends for the last week and month
Use this section to monitor the current score and general trends of the scores for your subscriptions.
Trends for secure score on the built-in workbook.
Aggregated score for all selected subscriptions
Hover your mouse over any point in the trend line to see the aggregated score at any date in the selected time range.
Aggregated score for all selected subscriptions.
Recommendations with the most unhealthy resources
This table helps you triage the recommendations that have had the most resources changed to unhealthy over the selected period.
Recommendations with the most unhealthy resources.
Scores for specific security controls
Defender for Cloud's security controls are logical groupings of recommendations. This chart shows you, at a glance, the weekly scores for all of your controls.
Scores for your security controls over the selected time period.
Resources changes
Recommendations with the most resources that have changed state (healthy, unhealthy, or not applicable) during the selected period are listed here. Select any recommendation from the list to open a new table listing the specific resources.
Recommendations with the most resources that have changed health state.

Use the 'System Updates' workbook

This workbook is based on the security recommendation "System updates should be installed on your machines".

The workbook helps you identify machines with outstanding updates.

You can view the situation for the selected subscriptions according to:

  • The list of resources with outstanding updates
  • The list of updates missing from your resources

Defender for Cloud's system updates workbook based on the missing updates security recommendation

Use the 'Vulnerability Assessment Findings' workbook

Defender for Cloud includes vulnerability scanners for your machines, containers in container registries, and SQL servers.

Learn more about using these scanners:

Findings for each resource type are reported in separate recommendations:

This workbook gathers these findings and organizes them by severity, resource type, and category.

Defender for Cloud's vulnerability assessment findings report.

Use the 'Compliance Over Time' workbook

Microsoft Defender for Cloud continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Built-in standards include NIST SP 800-53, SWIFT CSP CSCF v2020, Canada Federal PBMM, HIPAA HITRUST, and more. You can select the specific standards relevant to your organization using the regulatory compliance dashboard. Learn more in Customize the set of standards in your regulatory compliance dashboard.

This workbook tracks your compliance status over time with the various standards you've added to your dashboard.

Select the standards for your compliance over time report.

When you select a standard from the overview area of the report, the lower pane reveals a more detailed breakdown:

Detailed breakdown of the changes regarding a specific standard.

You can keep drilling down - right down to the recommendation level - to view the resources that have passed or failed each control.

Tip

For each panel of the report, you can export the data to Excel with the "Export to Excel" option.

Exporting compliance workbook data to Excel.

Use the 'Active Alerts' workbook

This workbook displays the active security alerts for your subscriptions on one dashboard. Security alerts are the notifications that Defender for Cloud generates when it detects threats on your resources. Defender for Cloud prioritizes, and lists the alerts, along with information needed for quick investigation and remediation.

This workbook benefits you by letting you understand the active threats on your environment, and allows you to prioritize between the active alerts.

Note

Most workbooks use Azure Resource Graph (ARG) to query their data. For example, to display the Map View, Log Analytics workspace is used to query the data. Continuous export should be enabled, and export the security alerts to the Log Analytics workspace.

You can view the active alerts by severity, resource group, or tag.

Screenshot showing a sample view of the alerts viewed by Severity, Resource Group, or Tag.

You can also view your subscription's top alerts by attacked resources, alert types, and new alerts.

Screenshot highlighting the top alerts for your subscriptions.

You can get more details on any of these alerts by selecting it.

Screenshot that shows all the active alerts with high severity from a specific resource.

The MITRE ATT&CK tactics displays by the order of the kill-chain, and the number of alerts the subscription has at each stage.

Screenshot showing the order of the kill-chain, and the number of alerts

You can see all of the active alerts in a table with the ability to filter by columns. By selecting an alert, the alert view button appears.

Screenshot showing the table of active alerts.

By selecting the Open Alert View button, you can see all the details of that specific alert.

Screenshot of an alert's details.

By selecting Map View, you can also see all alerts based on their location.

Screenshot of the alerts when viewed in a map.

By selecting a location on the map you will be able to view all of the alerts for that location.

Screenshot showing the alerts in a specific location.

You can see the details for that alert with the Open Alert View button.

Import workbooks from other workbook galleries

If you've built workbooks in other Azure services and want to move them into your Microsoft Defender for Cloud workbooks gallery:

  1. Open the target workbook.

  2. From the toolbar, select Edit.

    Editing an Azure Monitor workbook.

  3. From the toolbar, select </> to enter the Advanced Editor.

    Launching the advanced editor to get the Gallery Template JSON code.

  4. Copy the workbook's Gallery Template JSON.

  5. Open the workbooks gallery in Defender for Cloud and from the menu bar select New.

  6. Select the </> to enter the Advanced Editor.

  7. Paste in the entire Gallery Template JSON.

  8. Select Apply.

  9. From the toolbar, select Save As.

    Saving the workbook to the gallery in Defender for Cloud.

  10. Enter the required details for saving the workbook:

    1. A name for the workbook
    2. The desired region
    3. Subscription, resource group, and sharing as appropriate.

You'll find your saved workbook in the Recently modified workbooks category.

Next steps

This article described Defender for Cloud's integrated Azure Monitor Workbooks page with built-in reports and the option to build your own custom, interactive reports.