Commonly used Microsoft Sentinel workbooks


Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

The following table lists the most commonly used, built-in Microsoft Sentinel workbooks.

Access workbooks in Microsoft Sentinel under Threat Management > Workbooks on the left, and then search for the workbook you want to use. For more information, see Visualize and monitor your data.


We recommend deploying any workbooks associated with the data you're ingesting. Workbooks allow for broader monitoring and investigating based on your collected data.

For more information, see Connect data sources and Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions.

Workbook name Description
Analytics Efficiency Provides insights into the efficacy of your analytics rules to help you achieve better SOC performance.

For more information, see The Toolkit for Data-Driven SOCs.
Azure Activity Provides extensive insight into your organization's Azure activity by analyzing and correlating all user operations and events.

For more information, see Auditing with Azure Activity logs.
Azure AD Audit logs Uses Azure Active Directory audit logs to provide insights into Azure AD scenarios.

For more information, see Quickstart: Get started with Microsoft Sentinel.
Azure AD Audit, Activity and Sign-in logs Provides insights into Azure Active Directory Audit, Activity, and Sign-in data with one workbook. Shows activity such as sign-ins by location, device, failure reason, user action, and more.

This workbook can be used by both Security and Azure administrators.
Azure AD Sign-in logs Uses the Azure AD sign-in logs to provide insights into Azure AD scenarios.
Microsoft cloud security benchmark Provides a single pane of glass for gathering and managing data to address Microsoft cloud security benchmark control requirements, aggregating data from 25+ Microsoft security products.

For more information, see our TechCommunity blog.
Cybersecurity Maturity Model Certification (CMMC) Provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop, and so on.

For more information, see our TechCommunity blog.
Data collection health monitoring / Usage monitoring Provides insights into your workspace's data ingestion status, such as ingestion size, latency, and number of logs per source. View monitors and detect anomalies to help you determine your workspaces data collection health.

For more information, see Monitor the health of your data connectors with this Microsoft Sentinel workbook.
Event Analyzer Enables you to explore, audit, and speed up Windows Event Log analysis, including all event details and attributes, such as security, application, system, setup, directory service, DNS, and so on.
Exchange Online Provides insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.
Identity & Access Provides insight into identity and access operations in Microsoft product usage, via security logs that include audit and sign-in logs.
Incident Overview Designed to help with triage and investigation by providing in-depth information about an incident, including general information, entity data, triage time, mitigation time, and comments.

For more information, see The Toolkit for Data-Driven SOCs.
Investigation Insights Provides analysts with insight into incident, bookmark, and entity data. Common queries and detailed visualizations can help analysts investigate suspicious activities.
Microsoft Defender for Cloud Apps - discovery logs Provides details about the cloud apps that are used in your organization, and insights from usage trends and drill-down data for specific users and applications.

For more information, see Connect data from Microsoft Defender for Cloud Apps.
MITRE ATT&CK Workbook Provides details about MITRE ATT&CK coverage for Microsoft Sentinel.
Office 365 Provides insights into Office 365 by tracing and analyzing all operations and activities. Drill down into SharePoint, OneDrive, Teams, and Exchange data.
Security Alerts Provides a Security Alerts dashboard for alerts in your Microsoft Sentinel environment.

For more information, see Automatically create incidents from Microsoft security alerts.
Security Operations Efficiency Intended for security operations center (SOC) managers to view overall efficiency metrics and measures regarding the performance of their team.

For more information, see Manage your SOC better with incident metrics.
Threat Intelligence Provides insights into threat indicators, including type and severity of threats, threat activity over time, and correlation with other data sources, including Office 365 and firewalls.

For more information, see Understand threat intelligence in Microsoft Sentinel and our TechCommunity blog.
Zero Trust (TIC3.0) Provides an automated visualization of Zero Trust principles, cross-walked to the Trusted Internet Connections framework.

For more information, see the Zero Trust (TIC 3.0) workbook announcement blog.