Useful resources for working with Microsoft Sentinel

This article lists resources that can help you get more information about working with Microsoft Sentinel.

Learn more about creating queries

Microsoft Sentinel uses Azure Monitor Log Analytics's Kusto Query Language (KQL) to build queries. For more information, see:

Microsoft Sentinel templates for data to monitor

The Azure Active Directory Security Operations Guide includes specific guidance and knowledge about data that's important to monitor for security purposes, for several operational areas.

In each article, check for sections named Things to monitor for lists of events that we recommend alerting on and investigating, as well as analytics rule templates to deploy directly to Microsoft Sentinel.

Learn more about creating automation

Create automation in Microsoft Sentinel using Azure Logic Apps, with a growing gallery of built-in playbooks.

For more information, see Azure Logic Apps connectors.

Compare playbooks, workbooks, and notebooks

The following table describes the differences between playbooks, workbooks, and notebooks in Microsoft Sentinel:

Category Playbooks Workbooks Notebooks
  • SOC engineers
  • Analysts of all tiers
  • SOC engineers
  • Analysts of all tiers
  • Threat hunters and Tier-2/Tier-3 analysts
  • Incident investigators
  • Data scientists
  • Security researchers
Uses Automation of simple, repeatable tasks:
  • Ingesting external data
  • Data enrichment with TI, GeoIP lookups, and more
  • Investigation
  • Remediation
  • Visualization
  • Querying Microsoft Sentinel data and external data
  • Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more
  • Investigation
  • Visualization
  • Hunting
  • Machine learning and big data analytics
  • Best for single, repeatable tasks
  • No coding knowledge required
  • Best for a high-level view of Microsoft Sentinel data
  • No coding knowledge required
  • Best for complex chains of repeatable tasks
  • Ad-hoc, more procedural control
  • Easier to pivot with interactive functionality
  • Rich Python libraries for data manipulation and visualization
  • Machine learning and custom analysis
  • Easy to document and share analysis evidence
  • Not suitable for ad-hoc and complex chains of tasks
  • Not ideal for documenting and sharing evidence
  • Cannot integrate with external data
  • High learning curve and requires coding knowledge
More information Automate threat response with playbooks in Microsoft Sentinel Visualize collected data Use Jupyter notebooks to hunt for security threats

Comment on our blogs and forums

We love hearing from our users.

In the TechCommunity space for Microsoft Sentinel:

You can also send suggestions for improvements via our User Voice program.

Join the Microsoft Sentinel GitHub community

The Microsoft Sentinel GitHub repository is a powerful resource for threat detection and automation.

Our Microsoft security analysts constantly create and add new workbooks, playbooks, hunting queries, and more, posting them to the community for you to use in your environment.

Download sample content from the private community GitHub repository to create custom workbooks, hunting queries, notebooks, and playbooks for Microsoft Sentinel.

Next steps