Create rich, interactive reports of Defender for Cloud data by using workbooks

  • Article

Azure workbooks are flexible canvas that you can use to analyze data and create rich, visual reports in the Azure portal. In workbooks, you can access multiple data sources across Azure. Combine workbooks into unified, interactive experiences.

Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed information about each visualization type, see the visualizations examples and documentation.

In Microsoft Defender for Cloud, you can access built-in workbooks to track your organization’s security posture. You can also build custom workbooks to view a wide range of data from Defender for Cloud or other supported data sources.

Screenshot that shows the Secure Score Over Time workbook.

For pricing, see the pricing page.

Prerequisites

Required roles and permissions: To save a workbook, you must have at least Workbook Contributor permissions for the relevant resource group.

Cloud availability: Microsoft Azure operated by 21Vianet

In Defender for Cloud, you can use integrated Azure workbooks functionality to build custom, interactive workbooks that display your security data. Defender for Cloud includes a workbooks gallery that has the following workbooks ready for you to customize:

  • Coverage workbook: Track the coverage of Defender for Cloud plans and extensions across your environments and subscriptions.
  • Secure Score Over Time workbook: Track your subscription scores and changes to recommendations for your resources.
  • System Updates workbook: View missing system updates by resource, OS, severity, and more.
  • Vulnerability Assessment Findings workbook: View the findings of vulnerability scans of your Azure resources.
  • Compliance Over Time workbook: View the status of a subscription's compliance with regulatory standards or industry standards that you select.
  • Active Alerts workbook: View active alerts by severity, type, tag, MITRE ATT&CK tactics, and location.
  • Price Estimation workbook: View monthly, consolidated price estimations for Defender for Cloud plans based on the resource telemetry in your environment. The numbers are estimates that are based on retail prices and don't represent actual billing or invoice data.
  • Governance workbook: Use the governance report in the governance rules settings to track progress of the rules that affect your organization.

Along with built-in workbooks, you can find useful workbooks in the Community category. These workbooks are provided as-is and have no SLA or support. You can choose one of the provided workbooks or create your own workbook.

Screenshot that shows the gallery of built-in workbooks in Microsoft Defender for Cloud.

Tip

To customize any of the workbooks, select the Edit button. When you're done editing, select Save. The changes are saved in a new workbook.

Screenshot that shows how to edit a supplied workbook to customize it for your needs.

Coverage workbook

If you enable Defender for Cloud across multiple subscriptions and environments, you might find it challenging to keep track of which plans are active. It's especially true if you have multiple subscriptions and environments.

The Coverage workbook helps you keep track of which Defender for Cloud plans are active in which parts of your environments. This workbook can help you ensure that your environments and subscriptions are fully protected. By having access to detailed coverage information, you can identify areas that might need more protection so that you can take action to address those areas.

Screenshot that shows the Coverage workbook, which displays the plans and extensions that are enabled in various subscriptions and environments.

In this workbook, you can select a subscription (or all subscriptions), and then view the following tabs:

  • Additional information: Shows release notes and an explanation of each toggle.
  • Relative coverage: Shows the percentage of subscriptions or connectors that have a specific Defender for Cloud plan enabled.
  • Absolute coverage: Shows each plan's status per subscription.
  • Detailed coverage: Shows additional settings that can be enabled or that must need to be enabled on relevant plans to get each plan's full value.

You also can select the Azure environment in each or all subscriptions to see which plans and extensions are enabled for the environments.

Secure Score Over Time workbook

The Secure Score Over Time workbook uses secure score data from your Log Analytics workspace. The data must be exported by using the continuous export tool as described in Set up continuous export for Defender for Cloud in the Azure portal.

When you set up continuous export, under Export frequency, select both Streaming updates and Snapshots (Preview).

Screenshot that shows the export frequency options to select for continuous export in the Secure Score Over Time workbook.

Note

Snapshots are exported weekly. There's a delay of at least one week after the first snapshot is exported before you can view data in the workbook.

Tip

To configure continuous export across your organization, use the provided DeployIfNotExist policies in Azure Policy that are described in Set up continuous export at scale.

The Secure Score Over Time workbook has five graphs for the subscriptions that report to the selected workspaces:

Graph Example
Score trends for the last week and month
Use this section to monitor the current score and general trends of the scores for your subscriptions.		 Screenshot that shows trends for secure score on the built-in workbook.
Aggregated score for all selected subscriptions
Hover your mouse over any point in the trend line to see the aggregated score at any date in the selected time range.		 Screenshot that shows an aggregated score for all selected subscriptions.
Recommendations with the most unhealthy resources
This table helps you triage the recommendations that had the most resources that changed to an unhealthy status in the selected period.		 Screenshot that shows recommendations that have the most unhealthy resources.
Scores for specific security controls
The security controls in Defender for Cloud are logical groupings of recommendations. This chart shows you at a glance the weekly scores for all your controls.		 Screenshot that shows scores for your security controls over the selected time period.
Resources changes
Recommendations that have the most resources that changed state (healthy, unhealthy, or not applicable) during the selected period are listed here. Select any recommendation in the list to open a new table that lists the specific resources.		 Screenshot that shows recommendations that have the most resources that changed health state during the selected period.

System Updates workbook

The System Updates workbook is based on the security recommendation that system updates should be installed on your machines. The workbook helps you identify machines that have updates to apply.

You can view the update status for selected subscriptions by:

  • A list of resources that have outstanding updates to apply.
  • A list of updates that are missing from your resources.

Defender for Cloud's system updates workbook based on the missing updates security recommendation.

Vulnerability Assessment Findings workbook

Defender for Cloud includes vulnerability scanners for your containers in container registries.

Findings for each resource type are reported in separate recommendations:

The Vulnerability Assessment Findings workbook gathers these findings and organizes them by severity, resource type, and category.

Screenshot that shows the Defender for Cloud vulnerability assessment findings report.

Compliance Over Time workbook

Microsoft Defender for Cloud continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Built-in standards include ISO 27001, PCI DSS 3.2.1, SOC TSP, and more. You can select the specific standards relevant to your organization using the regulatory compliance dashboard. Learn more in Customize the set of standards in your regulatory compliance dashboard.

The Compliance Over Time workbook tracks your compliance status over time by using the various standards that you add to your dashboard.

Screenshot that shows how to select the standards for your Compliance Over Time report.

When you select a standard from the overview area of the report, the lower pane displays a more detailed breakdown:

Screenshot that shows how to a detailed breakdown of the changes regarding a specific standard.

To view the resources that passed or failed each control, you can keep drilling down, all the way to the recommendation level.

Tip

For each panel of the report, you can export the data to Excel by using the Export to Excel option.

Screenshot that shows how to export a compliance workbook data to Excel.

Active Alerts workbook

The Active Alerts workbook displays the active security alerts for your subscriptions on one dashboard. Security alerts are the notifications that Defender for Cloud generates when it detects threats against your resources. Defender for Cloud prioritizes and lists the alerts with the information that you need to quickly investigate and remediate.

This workbook benefits you by helping you be aware of and prioritize the active threats in your environment.

Note

Most workbooks use Azure Resource Graph to query data. For example, to display a map view, data is queried in a Log Analytics workspace. Continuous export should be enabled. Export the security alerts to the Log Analytics workspace.

You can view active alerts by severity, resource group, and tag.

Screenshot that shows a sample view of the alerts viewed by severity, resource group, and tag.

You can also view your subscription's top alerts by attacked resources, alert types, and new alerts.

Screenshot that highlights the top alerts for your subscriptions.

To see more details about an alert, select the alert.

Screenshot that shows all high-severity active alerts for a specific resource.

The MITRE ATT&CK tactics tab lists alerts in the order of the kill chain and the number of alerts that the subscription has at each stage.

Screenshot that shows the order of the kill chain and the number of alerts.

You can see all the active alerts in a table and filter by columns.

Screenshot that shows the table of active alerts.

To see details for a specific alert, select the alert in the table, and then select the Open Alert View button.

Screenshot that shows an alert's details and the Open Alert View button.

To see all alerts by location in a map view, select the Map View tab.

Select a location on the map to view all the alerts for that location.

To view the details for an alert, select an alert, and then select the Open Alert View button.

Import workbooks from other workbook galleries

To move workbooks that you build in other Azure services into your Microsoft Defender for Cloud workbook gallery:

  1. Open the workbook that you want to import.

  2. On the toolbar, select Edit.

    Screenshot that shows how to edit a workbook.

  3. On the toolbar, select </> to open the advanced editor.

    Screenshot that shows how to open the advanced editor to copy the gallery template JSON code.

  4. In the workbook gallery template, select all the JSON in the file and copy it.

  5. Open the workbook gallery in Defender for Cloud, and then select New on the menu bar.

  6. Select </> to open the Advanced Editor.

  7. Paste the entire gallery template JSON code.

  8. Select Apply.

  9. On the toolbar, select Save As.

    Screenshot that shows saving the workbook to the gallery in Defender for Cloud.

  10. To save changes to the workbook, enter or select the following information:

    • A name for the workbook.
    • The Azure region to use.
    • Any relevant information about the subscription, resource group, and sharing.

To find the saved workbook, go to the Recently modified workbooks category.

Related content

This article describes the Defender for Cloud integrated Azure workbooks page that has built-in reports and the option to build your own custom, interactive reports.

Built-in workbooks get their data from Defender for Cloud recommendations.