Defender For Cloud - under the hood: Workbooks
Learn how Defender For Cloud Workbooks help visualise your security posture
‼️) This blog is part of a Defender For Cloud "Under the hood series" where we explore the various features, benefits and considerations that come with implementing Defender For Cloud (and other CNAPPs). You don't need any prior experience just a willingness to learn and develop. I don't quite know when the series will end but I hope you enjoy. What are workbooks?
Azure Workbooks offer a flexible way to analyse data and create interactive reports in the Azure portal. They pull data from multiple Azure sources, combining visualisations, log queries, metrics, and text into unified, dynamic reports.
Under the hood workbooks use the KQL query language to query for and present data.Workbook use cases in defender for cloud:
In Microsoft Defender for Cloud, you can access built-in workbooks to track nearly all the metrics you can think of for example:
Security Posture Analysis: Track security recommendations, compliance status, and risk trends across your cloud environment.
Threat Investigation: Visualise security alerts, incidents, and attack patterns to speed up threat hunting and response.
Vulnerability Management: Monitor discovered vulnerabilities, affected resources, and remediation progress in a single view.
Compliance Reporting: Create reports showing regulatory compliance adherence and policy violations for audits.
Incident Impact Assessment: Analyse security incidents, correlate affected assets, and outline mitigation steps.
Console view:
Jumping into the console, Defender for cloud has its own “workbooks“ tab with pre-built, customisable workbooks to help you analyse security, compliance, and cost data.
Key Workbooks Available:
Coverage Workbook Track Defender for Cloud plan coverage across subscriptions.
Secure Score Over Time Monitor security scores and recommendation changes.
System Updates Identify missing updates by resource, OS, and severity.
Vulnerability Assessment Findings Review vulnerability scan results for Azure resources.
Compliance Over Time Track compliance status against selected standards.
Active Alerts Analyse active security alerts by severity, type, and MITRE ATT&CK tactics.
Price Estimation Estimate Defender for Cloud cloud workloads protection costs based on resource telemetry.
Governance Workbook Monitor governance rules and organisational compliance progress.
DevOps Security (Preview) Visualise DevOps security posture for connected environments.
These are known as "Public template" workbooks meaning anyone has access to them and are frequently updated by Microsoft.Importing new workbooks
The Defender for Cloud GitHub community has workbooks created by the community which can be imported and used as your own as you can see below:
The imported workbook (as an example) provides you a unified view and full visibility of network security and networking resources in Azure:
How it works under the hood:
Workbooks pull data from various Azure Monitor sources, including:
Log Analytics (Kusto queries via KQL)
Azure Metrics (Real-time performance data)
Azure Resource Graph (Resource inventory and resource relationships)
Application Insights (Telemetry for apps)
Azure Data Explorer (For deeper analytics)
When a workbook is opened, it executes queries against these sources based on the parameters, filters, and user inputs.Continuous export:
It’s important to mention continuous export which is a pre-requisite for most of the workbooks including the secure score over time workbook which leverages data exported to log analytics to query and visualise your secure score. Continuous export set up, use cases and configuration at scale will be covered as part of another blog in this series.
Building your own workbooks is not covered in this blog post, all though it's entirely possible to create your own workbooks using KQL.Reference:
Learn about KQL - A book by Rod Trent Must Learn KQL
Defender For Cloud GitHub Labs
Defender for Cloud Feature requests
Defender for Cloud in the field show
Defender For Cloud Ninja training
Have blog ideas, want to engage on a topic, or explore collaboration? Let’s take it offline reach out on LinkedIn. I’d love to connect and continue the conversation!