I published this blog originally a few years ago but we still have newcomers joining us in the Sentinel world so though it was worth a repost. If you know any noobies, feel free to share it with them.

Microsoft's new(ish) cloud-based SIEM, Azure Sentinel, is a powerful solution that lets you collect security data cross an entire organization including devices, users, apps, servers in any cloud - which means that there are a lot of working parts. When I first looked at the management page, I was confused by the fact that many of the terms are so similar. There are Workbooks. There are Playbooks. And there are Notebooks. What's a girl to do?

Workbooks

A workbook is really nothing more than a dashboard. In fact, in an earlier iteration of Sentinel, they were actually called Dashboards. You use Workbooks to view insights gathered from data collected from various sources. They're kind of like a canvas that you can use to paint the data you want to see at a glance.
You may think - Ugh. What do I need another dashboard for? But in the world of SecOps, dashboards and other data visualizations provide the ability to view data trends and anomalies which help you spot when something is amiss. 
Workbooks have tons of possibilities. You can do everything from simple data presentation to complex graphing and investigative maps. With Workbooks, you can include text, charts, grids and graphs to help visualize the data in the most effective way for you. 

Sentinel provides a collection of out-of-the-box workbooks like the ones for Azure AD Sign-in logs or F5 or Palo Alto. You can also create your own. There is a fantastic GitHub repository where people share workbooks, hunting queries and much more.

The real power of Workbooks is the ability to combine data from disparate sources within a single report. This lets you create a Workbook that is exactly what you want it to be. It can be a composite of resource views that gives you richer data and insights than you would normally have out-of-the-box.

Let's take a look at one of the out-of-the-box Workbooks. On of my favorites is the Azure AD Sign-in logs Workbook. You can see that the report lists out Sign-ins by Location, Sign-ins by Device and the number of Sign-ins using Conditional Access. 

By looking at the report, we can see that over 1000 people are logging in from India and 56 of those are failures. Maybe this is perfectly normal. But maybe we don't expect anyone to log in from India, so this is something we need to investigate.  Other important information might be found in Sign-ins by Device, we see that we have three log ins from a Windows 8 machine. Wait a second! We thought we had retired all the Windows 8 machines. 

Workbooks are really just a tool to help you visualize your data. Some can be used reactively - gaining further information on an incident - like the Investigation Insights Workbook. Others can be used proactively to help us shrink our attack surface. The Insecure Protocols Workbook is great for this. It can help you find a remove insecure protocols like NTLMv1, SMBv1, vulnerable Netlogon secure channels on your DCs, weak Kerberos ciphers and more.

I’m sure there’s a workbook out there waiting for you.