7.4 Workbooks for Visual Review
Key Takeaways
- Workbooks are the Sentinel concept for visualizing and reviewing security information.
- A workbook is not the same thing as an analytics rule or an automated response.
- Workbook questions often use dashboard, visualization, or reporting language.
- Workbooks support understanding and investigation after data is available.
Workbooks Make Security Data Easier to See
A workbook is the Microsoft Sentinel concept to remember when a scenario talks about visual review, dashboards, or reporting-style views for security operations. The source brief names workbooks as a Sentinel topic, so do not move a workbook scenario to Microsoft Purview just because the wording includes report or dashboard. The key is the subject matter: Sentinel workbooks are about security operations information.
Workbooks fit after data is available. If no security signals are connected, there is little useful information to visualize. After data is connected, a workbook can help a team review trends, investigate activity, and communicate what is happening in the security environment. That makes workbooks supportive, not the primary detection engine.
| Scenario wording | Best Sentinel concept | Why |
|---|---|---|
| Show security activity in a visual view | Workbook | Visual review of security information |
| Detect suspicious behavior from data | Analytics rule | Detection logic and evaluation |
| Search for unusual activity proactively | Hunting | Analyst-driven investigation |
| Coordinate response steps | Playbook or automation rule | Response workflow and automation |
Do not treat workbooks as the same thing as incidents. An incident is the investigation object when suspicious activity needs attention. A workbook is a way to view and analyze information. They can support the same security operations process, but they answer different prompt verbs.
This distinction helps with product matching. A question about visualizing security operation data should still point to Sentinel, while a question about compliance score should point to Microsoft Purview Compliance Manager. A question about role activation should point to Microsoft Entra Privileged Identity Management. The noun dashboard is not enough by itself; the topic behind the dashboard is what matters.
Use the following workbook cues:
-
Dashboard for security operations.
-
Visualize security data already connected to Sentinel.
-
Review trends or activity during investigation.
-
Present information that supports threat detection work.
-
Improve analyst understanding without creating the detection rule itself.
For SC-900, you do not need to build workbook queries or design a visualization layout. Know that workbooks are part of Microsoft Sentinel, they help security teams see and understand available data, and they differ from analytics rules, hunting, incidents, automation rules, and Logic Apps playbooks.
Workbook Decision Check
Workbook questions are usually about seeing security information clearly, not creating the detection itself. If the scenario asks for visual review of Sentinel data, stay with workbooks. If it asks for automatic detection, proactive search, or automated response, choose another Sentinel concept while keeping the product family the same.
-
Visual security review means workbooks.
-
Detection logic means analytics rules.
-
Proactive investigation means hunting.
Which Microsoft Sentinel feature best matches a scenario about visual dashboards for security operations data?
How should you distinguish a workbook from an analytics rule in an SC-900 question?
A security team wants to review trends from connected Sentinel data in a visual format. What should they use?