Q: 4
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?
Options
Discussion
Why would you pick a hunting query (B) if the requirement is for visualization? Workbooks actually support charts and time-based reporting.
Option A Saw a similar question in some exam reports, workbook is the way to go for visualizing sign-in events in Sentinel.
A workbooks are built for visual reports in Sentinel. Playbooks and notebooks don't really fit here.
C . Notebooks also allow you to visualize and analyze security data, so for custom reports I'd start there.
Option A but only because "visualise" means you need a report, not automation or just raw queries.
A , hunting query (B) is tempting but that's for investigations not reports.
Probably A, since workbooks in Sentinel are made for visualizing data over time with charts and graphs. C (notebook) is more for code-driven analysis. Some folks mix up workbook and notebook, easy trap.
Its C here I think, since notebooks also let you analyze and visualize security data with more flexibility. You can build custom reports using code if you need to. Not 100% sure, but workbook (A) feels more like dashboards than actual custom reports.
A tbh, Sentinel workbooks are built for this kind of visualization.
B or C, since both can pull log data but I think hunting query (B) is the trap here.
Be respectful. No spam.
