Build custom email security reports and dashboards with workbooks in Microsoft Sentinel

Microsoft

Jan 08, 2025

Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs.

We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs.

Why use workbooks in Microsoft Sentinel?

There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365:

You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time.
You can customize your visuals easily based on your organization’s needs.
You can configure auto-refresh for the workbook to keep the data shown up to date.
You can access ready to use workbook templates and customize them if it's needed.

Getting started

After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps.

Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables:

EmailEvents - contains information about all emails
EmailAttachmentInfo - contains information about attachments in emails
EmailUrlInfo - contains information about URLs in emails
EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events
UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.
CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365.

The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub.

How to access the workbook template

We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub.

The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation.

Installing or updating the Microsoft Defender XDR solution in content hub

After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook.

Microsoft Defender for Office 365 Detection and Insights workbook template

What insights are available in the template?

The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members:

Detection overview
Email - Malware Detections
Email - Phish Detections
Email - Spam Detections
Email - Business Compromise Detections (BEC)
Email - Sender Authentication based Detections
URL Detections and Clicks
Email - Top Users/Senders
Email - Detection Overrides
False Negative/Positive Submissions
File - Malware Detections (SharePoint, Teams and OneDrive)
Post Delivery Detections and Admin Actions

Detection overview

Email - Malware Detections

Email - Business Compromise Detections (BEC)

Email - Sender Authentication based Detections

URL Detections and Clicks

False Negative/Positive Submissions

File - Malware Detections (SharePoint, Teams and OneDrive)

Post Delivery Detections and Admin Actions

Can I customize the workbook?

Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes.

You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook.

This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements.

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

More information