I’m sure anyone who has using Microsoft Sentinel for any length of time has used the workbooks feature. While this is technically an Azure Monitor feature, we use them with Microsoft Sentinel as well. They are great but may not work for everyone. Another choice is Microsoft’s PowerBI reporting tool. This blog post will try to help determine the pros and cons for each to help you decide which one to use.
Both Azure workbooks and PowerBI have templates. I would say that Azure workbooks has the slight advantage here as you have the ability to easily update the version of a template. Plus, you can easily create a personal version from a template which you can then modify (although updating it from the template to a new version will wipe out your changes).
By this, I mean where is the data stored? In Azure workbooks, the data remains in the Log Analytics (LA) workspace. In PowerBI, you have to read the data into PowerBI’s storage. There are pluses and minuses to both of these.
With the data staying the LA workspace, you don’t have to worry about data sovereignty laws where, with PowerBI, there is the possibility it leaves the area as PowerBI stores everything in its “pbix” file.
Ease of accessing data
Azure workbook using the same Kusto Query Language (KQL) that you use for your Analytic rules and other queries. However, you cannot (yet) share tables across different steps in a workbook. This means that if I want one step to show all incidents broken down by severity and another one broken down by status, that would be two different queries I would have to write. This could be construed as either a good or bad thing.
It can be good in that you can write the KQL to be very precise in what you want to return. It may be viewed as a bad thing as there are lot of different KQL queries to keep track of and, potentially, a lot of duplicated code.
PowerBI takes a different approach. It is recommended that you get all the data you need in as few queries as possible to avoid all the round trips to the server. This can make for some complex KQL queries (just think of the query to get just the incident and its related alerts), not to mention a lot of data being returned at one time. You then do the filtering inside of PowerBI
This brings up an interesting question for debate. Do you link together all your tables in the KQL query (like SecurityIncidents and SecurityAlerts) and pass it back like that or do you pass back both tables and link them in PowerBI? I am not a data scientist, so I am not sure if there is a “best” answer for this or not. I guess it would depend on what you are planning on doing with the data.
Workbooks have a somewhat limited listing of the data visualizations you can use, although there are a lot of settings for each one making them very flexible.
PowerBI has a lot more, as well as being able to load others that are not out of the box, and they have varying number of settings as well so I would say PowerBI wins here. You can even create your own which is not possible with workbooks.
One point for workbooks (at least IMHO) is that they have Tiles which PowerBI does not seem to have but that I want to use many times. Maybe I’ll see about creating one.
Workbooks have parameters that can have their own queries to give you a lot of flexibility when creating them. In addition, you can have different steps affect other steps. What I mean, I can select a single incident out of a list and setup other steps to show information based on that single selection.
The only problem is that configuring this is a manual process. First, in the list step you need to say that you want to expose a variable when an item is selected and then say what data will be in that variable. In the other steps, you have to say to use that variable in the KQL queries being used. While not an overly burdensome process, it can be tedious to setup.
PowerBI, on the other hand, has the exact opposite philosophy. Be default, almost any visualization on a page will interact with all the others automatically. You have to specifically tell a visualization to ignore changes in the others if that is the functionality you want.
This makes setting up filters quite easy. You can also easily setup parameters using the data that is stored in the tables.
I don’t think anyone that has created an Azure worbook will argue that PowerBI wins this one hands down. It is far easier to drag and drop the visualizations and the data to be used in the visualization than it is to create a workbook.
By this, I mean how easily is it to say information from one table maps to information in another table (i.e., Incidents have alerts). This is probably comparing apples to oranges in that you have to do the table relationship in a workbook in the KQL query using join and union commands.
In PowerBI, you can drag the column from one table (i.e., AlertIds in SecurityIncident) to the column in the other table (i.e., SystemAlertId in SecurityAlert) to perform the mapping. As a side note, since AlertIds is an array, you would probably expand it before doing the mapping for it to work correctly. This is the same as doing a mv-expand in a KQL query.
Look and feel
This one is more of a personal preference, but I would say PowerBI’s ability to place the visualizations anywhere beats Azure workbooks limited ability to place its steps.
This is another place with Azure workbooks wins. The workbooks are part of Microsoft Sentinel! What could be easier than clicking on “Workbooks” in the navigation menu and then selecting the workbook you want?
PowerBI, on the other hand, requires you to go outside the Azure portal to view the data.
Azure workbooks wins this one. All the features and functionality are included with Microsoft Sentinel for free!
PowerBI has 3 different license types. One of them is free, but you are limited to what you can do and you cannot share your reports with others in your company, limiting its useability. The other two licenses allow you share and it would depend on which one fits your company best. For more information go here: Power BI service features by license type – Power BI | Microsoft Docs
The blog post was intended to provide some basic pros and cons on workbooks versus PowerBI. It is not intended to say one is better than the other, they each have their areas that they really excel, and other features can come down to personal preference.
In some upcoming posts, I will recreate the “Security Operations Efficiency” workbook (more or less) in PowerBI.