Part 3: Build custom email security reports with Power BI and workbooks in Microsoft Sentinel

Microsoft

Feb 02, 2026

TL;DR: We're releasing a brand-new Power BI template for email security reporting and a major update (v3) to the Microsoft Sentinel workbook. Both solutions share the same rich visuals and insights. Choose Power BI for quick deployment without Sentinel, or the Sentinel workbook for extended data retention and multi-tenant scenarios. Get started in minutes with either option.

Introduction

Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. While Microsoft Defender for email and collaboration security provides rich, built-in reporting capabilities, many security teams need custom reporting solutions to create dedicated views, combine multiple data sources, and derive deeper insights tailored to their unique requirements.

Earlier last year (Part 1 and Part 2) we shared examples of how you can use workbooks in Microsoft Sentinel to build a custom email security insights dashboard for Microsoft Defender for email and collaboration security.

Today we are excited to announce a brand-new Power BI template file designed for Microsoft Defender for email and collaboration security customers. Additionally, we've released an updated version of the Microsoft Defender for email and collaboration Detections and Insights workbook within Microsoft Sentinel. Both offerings feature a unified visual design and structure, ensuring consistent experience no matter which platform you use.

Power BI template file - Microsoft Defender for email and collaboration Detections and Insights:

Microsoft Sentinel workbook - Microsoft Defender for email and collaboration Detections and Insights:

New: Power BI template file for Microsoft Defender for email and collaboration Detections and Insights

This custom reporting template file utilizes Power BI and Microsoft Defender Advanced Hunting through the Microsoft Graph security API.

This solution is intended for Microsoft Defender for email and collaboration security users who have access to Advanced Hunting but do not use Microsoft Sentinel. You can view Advanced Hunting data from Microsoft Defender for email and collaboration tables for up to 30 days. The reporting template leverages these same tables to present key insights about your organization's email security, showcasing protection, detection, and response metrics supplied by Microsoft Defender for email and collaboration security.

Note: If data retention beyond 30 days is required, customers can use the Defender for email and collaboration Detections and Insights workbook in Microsoft Sentinel.

You can find the new .pbit template file and detailed instructions on how to set up and use it in the unified Microsoft Sentinel and Microsoft 365 Defender GitHub repository.

This new Power BI template uses the same visuals and structure as the Microsoft Defender Detections and Insights workbook in Microsoft Sentinel, providing an easy way to gain deep email security insights across a wide range of use cases.

Updated: Microsoft Defender for email and collaboration security Detections and Insights workbook in Microsoft Sentinel

We are excited to announce the release of a new version (3) of the Microsoft Defender for email and collaboration security Detections and Insights workbook in Microsoft Sentinel.

The workbook is part of the Microsoft Defender solution in Microsoft Sentinel and can be installed and started to use with a few simple clicks.

In this release, we have integrated feedback from customers collected over the past several months to introduce new visuals, enhance existing ones, and provide insights aimed at strengthening security operations

What’s New

Here are some notable changes and new capabilities available in the updated workbook template.

Improved structure: Headings and grouped insights have been added to tabs for easier navigation and understanding of metrics.
Contextual explanations: Each tab, section, and visual now includes descriptions to help users interpret insights effectively.
Drill-down capability: A single “Open query link” action allows users to view the underlying KQL query for each visual, enabling quick investigation and hunting by modifying conditions or removing summaries to access raw data.
Detection Dashboard tab enhancements: Added an example Effectiveness metric, updated visuals to focus on overall Microsoft Defender for email and collaboration protection values and introduced new sections for Emerging Threats and Microsoft 365 Secure Email Gateway Performance.
New Security Operations Center (SOC) Insights tab: Provides operational metrics such as Security Incident Response, Investigation, and Response Actions for SOC teams.
Advanced threat insights: Includes new LLM-based content analysis detections and threat classification insights on the Emails – Phish Detections tab.
External forwarding insights: Added deep visibility into Inbox rules and SMTP forwarding in Outlook, including destination details to assess potential data leakage risks.
Geo-location improvements: Sender IPv4 insights now include top countries for better geographic context for each Threat types (Malware, Spam, Phish).
Enhanced top attacked users and top senders: Added TotalEmailCount and Bad_Traffic_Percentage for richer context in top attacked users and senders charts.
Expanded URL click insights: URL click-based threat detection visuals now include Microsoft 365 Copilot as a workload.

How to use the workbook across multiple tenants

If you manage multiple environments with Microsoft Sentinel or you are an MSSP (Managed Security Service Provider) working across multiple customer tenants, you can also use the workbook in multi‑tenant scenarios.

Once the required configuration is in place, you can change the Subscription and Workspace parameters in the workbook to be multi select and load data from one or multiple tenants.

This functionality provides comprehensive email security analytics within multi-tenant environments, including:

Aggregated multi‑tenant view:
You can view aggregated insights across tenants in a single workbook view. By multi‑selecting tenants in the Subscription and Workspace parameters, the workbook automatically loads and combines data from all selected environments for all visuals on all tabs.

Side‑by-side‑ comparison:
For example, you can compare phishing detection trends or top attacked users across two or more tenants simply by opening the workbook in two browser windows placed side by side.

Note: For the multiselect option‑ to work in the current workbook version, you need to manually adjust the Subscription and Workspace parameters. This configuration is planned to become the default in the next release of the workbook. Until then, you can simply apply this change using the workbook’s Edit mode.

How to get the updated workbook version

The latest version of the Microsoft Defender for email and collaboration Detections and Insights workbook is available as part of the Microsoft Defender solution in the Microsoft Sentinel - Content hub. Version 3.0.13 of the solution has the updated workbook template.

If you already have the Microsoft Defender deployed, version 3.0.13 is available now as an update. After you install the update, you will have the new workbook template available to use.

When Microsoft Defender is installed for the first time, the latest version is deployed, and the updated template becomes available for immediate use.

Editing and sharing the workbook

You can customize each visual easily. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights.

More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn

Granting other users access to the workbook also possible, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog.

You can provide direct feedback regarding reporting in Microsoft Defender for email and collaboration by filling the form: aka.ms/mdoreportingfeedback