Visualize and monitor your data by using workbooks in Microsoft Sentinel
After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using workbooks in Microsoft Sentinel. Microsoft Sentinel allows you to create custom workbooks across your data or, use existing workbook templates available with packaged solutions or as standalone content from the content hub. These templates allow you to quickly gain insights across your data as soon as you connect a data source.
This article describes how to visualize your data in Microsoft Sentinel by using workbooks.
Important
Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Prerequisites
You must have at least Workbook reader or Workbook contributor permissions on the resource group of the Microsoft Sentinel workspace.
The workbooks that you see in Microsoft Sentinel are saved within the Microsoft Sentinel workspace's resource group and are tagged by the workspace in which they were created.
To use a workbook template, install the solution that contains the workbook or install the workbook as a standalone item from the Content Hub. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.
Create a workbook from a template
Use a template installed from the content hub to create a workbook.
For Microsoft Sentinel in the Azure portal, under Threat management, select Workbooks.
For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Threat management > Workbooks.Go to Workbooks and then select Templates to see the list of workbook templates installed.
To see which templates are relevant to the data types you connected, review the Required data types field in each workbook where available.
Select Save from the template details pane and the location where you want to save the JSON file for the template. This action creates an Azure resource based on the relevant template and saves the JSON file of the workbook not the data.
Select View saved workbook from the template details pane.
Select the Edit button in the workbook toolbar to customize the workbook according to your needs.
To clone your workbook, select Edit and then Save as. Save the clone with another name, under the same subscription and resource group. Cloned workbooks are displayed under the My workbooks tab.
When you're done, select Save to save your changes.
For more information, see how to Create interactive reports with Azure Monitor Workbooks.
Create new workbook
Create a workbook from scratch in Microsoft Sentinel.
For Microsoft Sentinel in the Azure portal, under Threat management, select Workbooks.
For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Threat management > Workbooks.Select Add workbook.
To edit the workbook, select Edit, and then add text, queries, and parameters as necessary. For more information on how to customize the workbook, see how to Create interactive reports with Azure Monitor Workbooks.
When building a query, set the Data source to Logs and Resource type to Log Analytics, and then choose one or more workspaces.
We recommend that your query uses an Advanced Security Information Model (ASIM) parser and not a built-in table. The query will then support any current or future relevant data source rather than a single data source.
After you create your workbook, save the workbook under the subscription and resource group of your Microsoft Sentinel workspace.
If you want to let others in your organization use the workbook, under Save to select Shared reports. If you want this workbook to be available only to you, select My reports.
To switch between workbooks in your workspace, select Open
in the toolbar of any workbook. The screen switches to a list of other workbooks you can switch to.Select the workbook you want to open:
Refresh your workbook data
Refresh your workbook to display updated data. In the toolbar, select one of the following options:
Refresh, to manually refresh your workbook data.
Auto refresh, to set your workbook to automatically refresh at a configured interval.Supported auto refresh intervals range from 5 minutes to 1 day.
Auto refresh is paused while you're editing a workbook, and intervals are restarted each time you switch back to view mode from edit mode.
Auto refresh intervals are also restarted if you manually refresh your data.
By default, auto refresh is turned off. To optimize performance, auto refresh is turned off each time you close a workbook. It doesn't run in the background. Turn auto refresh back on as needed the next time you open the workbook.
Print a workbook or save as PDF
To print a workbook, or save it as a PDF, use the options menu to the right of the workbook title.
Select options >
Print content.In the print screen, adjust your print settings as needed or select Save as PDF to save it locally.
For example:
How to delete workbooks
To delete a saved workbook, either a saved template or a customized workbook, select the saved workbook that you want to delete and select Delete. This action removes the saved workbook. It also removes the workbook resource and any changes you made to the template. The original template remains available.
Related articles
To learn about popular built-in workbooks, see Commonly used Microsoft Sentinel workbooks.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for