Monitoring

Microsoft Sentinel Workbooks

Comprehensive Microsoft Sentinel workbooks for monitoring logon failures, malicious traffic, and security events using threat intelligence and KQL queries.

Microsoft Sentinel

KQL

Azure Log Analytics

Threat Intelligence

View on GitHub

Overview

These workbooks provide SOC analysts with real-time visibility into security events across the enterprise environment. Built using KQL queries and integrated with threat intelligence feeds, they enable proactive threat detection and rapid incident response.

Designed for enterprise security monitoring, these dashboards visualize critical security metrics and automate the correlation of security events with known threat indicators.

Workbook Capabilities

Logon Failure Monitoring

Failed authentication attempts tracking
Brute force attack detection
Account lockout monitoring
Geographic anomaly detection
Time-based pattern analysis

Malicious Traffic Analysis

Threat intelligence feed integration
Known malicious IP correlation
C2 communication detection
Data exfiltration indicators
Suspicious port activity monitoring

Security Event Correlation

Cross-source event correlation
Attack chain visualization
Incident timeline reconstruction
Alert prioritization scoring
Automated threat scoring

Visualization & Reporting

Interactive dashboards
Trend analysis charts
Geographic heat maps
Executive summary views
Exportable reports

Data Sources

SecurityEvent

Windows Security Events

SigninLogs

Azure AD Sign-ins

AzureActivity

Azure Resource Logs

ThreatIntelligenceIndicator

Threat Intel Feeds

CommonSecurityLog

Firewall/Proxy Logs

Syslog

Linux System Logs

AzureNetworkAnalytics

NSG Flow Logs

OfficeActivity

Microsoft 365 Logs

Featured Map-Based Visualizations

Each workbook transforms raw log data into actionable intelligence with geographic visualization, demonstrating practical applications of KQL for threat detection and auditing.

Malicious Network Flow Geolocation

Maps the geographic origins of network traffic flagged as "MaliciousFlow" in Azure Network Analytics logs. Uses IP geolocation watchlists for enrichment.

External Threat Visualization

Network Security

Azure Resource Creation Activity

Tracks and maps locations from which Azure resources are being created. Analyzes Azure Activity logs to identify anomalous provisioning patterns.

Cloud Security Auditing

Resource Governance

Azure AD Failed Sign-in Attempts

Visualizes geographic sources of failed Azure AD sign-in attempts. Helps identify potential brute-force attacks and credential abuse patterns.

Identity Security

Threat Detection

Azure AD Successful Sign-ins

Maps locations of successful Azure AD sign-ins. Useful for understanding legitimate access patterns and establishing baselines for anomaly detection.

User Behavior Analytics

Access Auditing

VM Authentication Failures Map

Comprehensive visualization of authentication failures across virtual machine infrastructure. Correlates failed login attempts with geographic data for identifying distributed attack patterns.

Infrastructure Monitoring

Attack Pattern Detection

Distributed Threat Analysis

Use Cases

SOC Operations

Real-time security monitoring
Incident triage and investigation
Threat hunting operations
Shift handoff reporting

Management Reporting

Security posture assessment
Compliance reporting
Trend analysis and metrics
Risk communication

Core Technologies

Azure Log Analytics

Log data aggregation, storage, and querying

Kusto Query Language (KQL)

Data manipulation, analysis, and extraction

Azure AD SigninLogs

Identity and access event data

AzureActivity Logs

Resource management events

Azure Network Analytics

Network flow data source

Azure Watchlists

IP geolocation enrichment and mapping