Compare workbooks, playbooks, and notebooks

  • Article

Workbooks, playbooks, and notebooks are key resources in Microsoft Sentinel that help you automate responses, visualize data, and analyze data, respectively. Sometimes it can be challenging to track which type of resource is right for your task.

This article helps to differentiate between workbooks, playbooks, and notebooks in Microsoft Sentinel:

  • After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using workbooks in Microsoft Sentinel. Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and add tables and charts with analytics for your logs and queries to the tools already available in Azure.
  • Jupyter notebooks in Microsoft Sentinel are a powerful tool for security investigations and hunting, providing full programmability with a huge collection of libraries for machine learning, visualization, and data analysis. While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data.
  • Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions to help automate and orchestrate your threat response.

Compare by persona

The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by the user persona:

Resource Description
Workbooks
  • SOC engineers
  • Analysts of all tiers
Notebooks
  • Threat hunters and Tier-2/Tier-3 analysts
  • Incident investigators
  • Data scientists
  • Security researchers
Playbooks
  • SOC engineers
  • Analysts of all tiers

Compare by use

The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by use case:

Resource Description
Playbooks Automation of simple, repeatable tasks:
  • Ingesting external data
  • Data enrichment with TI, GeoIP lookups, and more
  • Investigation
  • Remediation
Notebooks
  • Querying Microsoft Sentinel data and external data
  • Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more
  • Investigation
  • Visualization
  • Hunting
  • Machine learning and big data analytics
Workbooks
  • Visualization

Compare by advantages and challenges

The following table compares the advantages and disadvantages of playbooks, workbooks, and notebooks in Microsoft Sentinel:

Resource Advantages Challenges
Playbooks
  • Best for single, repeatable tasks
  • No coding knowledge required
  • Not suitable for ad-hoc and complex chains of tasks
  • Not ideal for documenting and sharing evidence
Notebooks
  • Best for complex chains of repeatable tasks
  • Ad-hoc, more procedural control
  • Easier to pivot with interactive functionality
  • Rich Python libraries for data manipulation and visualization
  • Machine learning and custom analysis
  • Easy to document and share analysis evidence
  • High learning curve and requires coding knowledge
Workbooks
  • Best for a high-level view of Microsoft Sentinel data
  • No coding knowledge required
  • Can't integrate with external data