7.4 Workbooks for Visual Review

Workbooks Visualize Security Data

Workbooks are Microsoft Sentinel's interactive visualization and dashboard layer. They are built on Azure Monitor Workbooks, so the same engine that charts Azure telemetry powers Sentinel's security dashboards. A workbook turns ingested data into charts, tables, grids, time series, maps, and tiles that a SOC uses for monitoring, reporting, and investigation.

Workbooks come after data is connected. With no signals in the Log Analytics workspace, there is little to visualize. Once data is flowing, a workbook can show sign-in trends, incident volumes over time, top alerting rules, or geographic maps of suspicious traffic. That makes workbooks supportive — they help humans see and understand the environment — rather than the detection engine itself.

Sentinel ships with dozens of built-in workbook templates, and many connectors install a workbook tuned to their data source. Workbooks are also customizable: because they run KQL queries under the hood, an analyst can adjust or build visualizations, though SC-900 does not require you to do so.

Do not equate a workbook with an incident. An incident is the case you investigate when something needs attention; a workbook is a view that helps you understand activity and trends. They support the same SOC process but answer different prompt verbs.

The Dashboard Trap and Product Matching

The most common workbook trap is the word dashboard or report. Many Microsoft products show dashboards: Purview Compliance Manager shows a compliance score dashboard, Defender for Cloud shows Secure Score, and Microsoft Entra shows identity dashboards. The noun alone is not the cue — the subject matter is. If the prompt is about visualizing security operations data already in Sentinel, the answer is a workbook. If it is about a compliance posture score, it is Purview Compliance Manager. If it is about a cloud security posture score across Azure resources, it is Defender for Cloud Secure Score.

Use these workbook cues with confidence:

• Dashboard or visual view of security operations data -> workbook.
• Trends, charts, or reporting over connected Sentinel data -> workbook.
• Present security activity to support an investigation -> workbook.
• Create the detection logic itself -> analytics rule, not workbook.
• Take an automated action -> playbook/automation rule, not workbook.

A useful distinction: a workbook reflects what the data shows; it does not decide that something is a threat (that is an analytics rule) and it does not act on a threat (that is a playbook). Keeping those three apart — see, detect, respond — lets you answer almost any Sentinel feature question.

For SC-900 you will not build a workbook or write its KQL. Know that workbooks are part of Microsoft Sentinel, they provide interactive dashboards and visualizations over ingested security data, they are built on Azure Monitor Workbooks, and they differ from analytics rules, hunting, incidents, and Logic Apps playbooks. When a scenario asks to visualize or report on security data, choose workbooks.

What Workbooks Show and How They Compare to Other Dashboards

A Sentinel workbook can combine many visualization elements on one canvas: time charts of incident or alert volume, bar and pie charts of top categories, grids of recent events, geographic maps of source IP addresses, and single-value tiles for key metrics such as open high-severity incidents. Because workbooks are built on Azure Monitor Workbooks, they support parameters, drill-downs, and tabs, so a single workbook can serve both an executive summary view and a deep analyst view.

Microsoft and connector solutions ship template workbooks for common sources — Microsoft Entra sign-ins, Microsoft 365, Azure activity, and many third-party firewalls — that a team can use immediately or clone and customize.

It is worth contrasting Sentinel workbooks with the other posture dashboards SC-900 covers, because the exam likes to test whether you can keep them straight by their subject, not their visual format:

Notice that all four are visual, yet only the workbook is about security operations telemetry inside Sentinel. If a prompt says "track our posture against ISO 27001," that is a compliance score in Purview; if it says "see our resource security recommendations and a percentage score," that is Secure Score in Defender for Cloud; only a request to visualize Sentinel's ingested security data or incident trends is a workbook.

For SC-900, remember three things about workbooks: they are the visualization layer of Sentinel, they are built on Azure Monitor Workbooks and ship as customizable templates, and they reflect data rather than detect threats or respond to them. Pair that with the see-detect-respond split — workbooks see, analytics rules detect, playbooks respond — and workbook questions become straightforward product-and-feature matches.