Commonly used Microsoft Sentinel workbooks

The following table lists the most commonly used, built-in Microsoft Sentinel workbooks.

Access workbooks in Microsoft Sentinel under Threat Management > Workbooks on the left, and then search for the workbook you want to use. For more information, see Visualize and monitor your data.


We recommend deploying any workbooks associated with the data you're ingesting. Workbooks allow for broader monitoring and investigating based on your collected data.

For more information, see Connect data sources and Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions.

Workbook name Description
Analytics Efficiency Provides insights into the efficacy of your analytics rules to help you achieve better SOC performance.

For more information, see The Toolkit for Data-Driven SOCs.
Azure Activity Provides extensive insight into your organization's Azure activity by analyzing and correlating all user operations and events.

For more information, see Auditing with Azure Activity logs.
Microsoft Entra audit logs Uses Microsoft Entra audit logs to provide insights into Microsoft Entra scenarios.

For more information, see Quickstart: Get started with Microsoft Sentinel.
Microsoft Entra audit, Activity and Sign-in logs Provides insights into Microsoft Entra audit, Activity, and Sign-in data with one workbook. Shows activity such as sign-ins by location, device, failure reason, user action, and more.

This workbook can be used by both Security and Azure administrators.
Microsoft Entra sign-in logs Uses the Microsoft Entra sign-in logs to provide insights into Microsoft Entra scenarios.
Microsoft cloud security benchmark Provides a single pane of glass for gathering and managing data to address Microsoft cloud security benchmark control requirements, aggregating data from 25+ Microsoft security products.

For more information, see our TechCommunity blog.
Cybersecurity Maturity Model Certification (CMMC) Provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop, and so on.

For more information, see our TechCommunity blog.
Data collection health monitoring / Usage monitoring Provides insights into your workspace's data ingestion status, such as ingestion size, latency, and number of logs per source. View monitors and detect anomalies to help you determine your workspaces data collection health.

For more information, see Monitor the health of your data connectors with this Microsoft Sentinel workbook.
Event Analyzer Enables you to explore, audit, and speed up Windows Event Log analysis, including all event details and attributes, such as security, application, system, setup, directory service, DNS, and so on.
Exchange Online Provides insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.
Identity & Access Provides insight into identity and access operations in Microsoft product usage, via security logs that include audit and sign-in logs.
Incident Overview Designed to help with triage and investigation by providing in-depth information about an incident, including general information, entity data, triage time, mitigation time, and comments.

For more information, see The Toolkit for Data-Driven SOCs.
Investigation Insights Provides analysts with insight into incident, bookmark, and entity data. Common queries and detailed visualizations can help analysts investigate suspicious activities.
Microsoft Defender for Cloud Apps - discovery logs Provides details about the cloud apps that are used in your organization, and insights from usage trends and drill-down data for specific users and applications.

For more information, see Connect data from Microsoft Defender for Cloud Apps.
MITRE ATT&CK Workbook Provides details about MITRE ATT&CK coverage for Microsoft Sentinel.
Office 365 Provides insights into Office 365 by tracing and analyzing all operations and activities. Drill down into SharePoint, OneDrive, Teams, and Exchange data.
Security Alerts Provides a Security Alerts dashboard for alerts in your Microsoft Sentinel environment.

For more information, see Automatically create incidents from Microsoft security alerts.
Security Operations Efficiency Intended for security operations center (SOC) managers to view overall efficiency metrics and measures regarding the performance of their team.

For more information, see Manage your SOC better with incident metrics.
Threat Intelligence Provides insights into threat indicators, including type and severity of threats, threat activity over time, and correlation with other data sources, including Office 365 and firewalls.

For more information, see Understand threat intelligence in Microsoft Sentinel and our TechCommunity blog.
Zero Trust (TIC3.0) Provides an automated visualization of Zero Trust principles, cross-walked to the Trusted Internet Connections framework.

For more information, see the Zero Trust (TIC 3.0) workbook announcement blog.