Compare playbooks, workbooks, and notebooks

This article describes the differences between playbooks, workbooks, and notebooks in Microsoft Sentinel.

Compare by persona

The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by the user persona:

Resource	Description
Playbooks	SOC engineers Analysts of all tiers
Workbooks	SOC engineers Analysts of all tiers
Notebooks	Threat hunters and Tier-2/Tier-3 analysts Incident investigators Data scientists Security researchers

Compare by use

The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by use case:

Resource	Description
Playbooks	Automation of simple, repeatable tasks: Ingesting external data Data enrichment with TI, GeoIP lookups, and more Investigation Remediation
Workbooks	Visualization
Notebooks	Querying Microsoft Sentinel data and external data Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more Investigation Visualization Hunting Machine learning and big data analytics

Compare by advantages and challenges

The following table compares the advantages and disadvantages of playbooks, workbooks, and notebooks in Microsoft Sentinel:

Resource	Advantages	Challenges
Playbooks	Best for single, repeatable tasks No coding knowledge required	Not suitable for ad-hoc and complex chains of tasks Not ideal for documenting and sharing evidence
Workbooks	Best for a high-level view of Microsoft Sentinel data No coding knowledge required	Can't integrate with external data
Notebooks	Best for complex chains of repeatable tasks Ad-hoc, more procedural control Easier to pivot with interactive functionality Rich Python libraries for data manipulation and visualization Machine learning and custom analysis Easy to document and share analysis evidence	High learning curve and requires coding knowledge

Related content

For more information, see:

• Automate threat response with playbooks in Microsoft Sentinel
• Visualize collected data with workbooks
• Use Jupyter notebooks to hunt for security threats