Build the SOC Operations Dashboard

Objective

Build a Sentinel workbook that displays 4 key SOC operational metrics. This is the dashboard the SOC lead checks daily and the SOC manager presents weekly.

Required: Sentinel workspace with SecurityIncident data (you need at least 2 weeks of closed incidents for meaningful metrics).

Step 1: Create the workbook

Navigate to: Sentinel → Workbooks → Add workbook → Start with empty workbook

Save the workbook as “SOC Operations Dashboard.”

Step 2: Add the time range parameter

Click Add → Add parameters → Add parameter

This parameter controls the time window for all panels.

Step 3: Panel 1 — Alert volume trend

Click Add → Add query

1
2
3
4

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize IncidentCount = count() by bin(TimeGenerated, 1d), Severity
| render timechart

Visualization: Time chart. Title: “Daily Incident Volume by Severity.”

This shows the workload trend. Sudden spikes indicate new attack campaigns or new detection rules generating alerts. Consistent decline indicates effective tuning.

Step 4: Panel 2 — Detection rule performance

Click Add → Add query

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| extend RuleName = tostring(parse_json(tostring(AdditionalData)).alertProductNames)
| where isnotempty(RuleName)
| summarize 
    AlertCount = count(),
    TP = countif(Classification == "TruePositive"),
    FP = countif(Classification == "FalsePositive"),
    BP = countif(Classification == "BenignPositive")
    by RuleName
| extend FPRate = iff(AlertCount > 0, round(100.0 * FP / AlertCount, 1), 0.0)
| sort by FPRate desc

Visualization: Table. Title: “Detection Rule Performance.” Rules at the top (highest FP rate) are your priority tuning targets.

Step 5: Panel 3 — SLA compliance

Click Add → Add query

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| extend TriageMinutes = datetime_diff('minute', FirstModifiedTime, CreatedTime)
| extend SLATarget = case(
    Severity == "High", 15,
    Severity == "Medium", 30,
    Severity == "Low", 240,
    15)
| extend SLAMet = TriageMinutes <= SLATarget
| summarize 
    Total = count(),
    Met = countif(SLAMet)
    by Severity
| extend Compliance = round(100.0 * Met / Total, 1)

Visualization: Bar chart. Title: “SLA Compliance by Severity.”

Step 6: Panel 4 — Incident classification

Click Add → Add query

1
2
3
4
5

SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| summarize Count = count() by Classification
| render piechart

Visualization: Pie chart. Title: “Incident Classification (30 days).”

If “Undetermined” dominates, analysts are closing incidents without classifying them — fix this process issue before trusting SNR metrics.

Step 7: Save and share

Save the workbook. Pin it to the SOC team’s Sentinel favourites. If your team uses a shared display, set this workbook as the default view.

Verification checklist

• Workbook created with 4 panels
• Time range parameter controls all panels
• Alert volume trend shows daily data
• Detection rule performance table identifies tuning targets
• SLA compliance shows per-severity percentages
• Incident classification reveals data quality gaps
• Workbook saved and shared with SOC team