Objective
Build a Sentinel workbook that displays 4 key SOC operational metrics. This is the dashboard the SOC lead checks daily and the SOC manager presents weekly.
Required: Sentinel workspace with SecurityIncident data (you need at least 2 weeks of closed incidents for meaningful metrics).
Step 1: Create the workbook
Navigate to: Sentinel → Workbooks → Add workbook → Start with empty workbook
Save the workbook as "SOC Operations Dashboard."
Step 2: Add the time range parameter
Click Add → Add parameters → Add parameter
| Field | Value |
|---|---|
| Parameter name | TimeRange |
| Parameter type | Time range picker |
| Default value | Last 30 days |
This parameter controls the time window for all panels.
Step 3: Panel 1 — Alert volume trend
Click Add → Add query
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize IncidentCount = count() by bin(TimeGenerated, 1d), Severity
| render timechartVisualization: Time chart. Title: "Daily Incident Volume by Severity."
This shows the workload trend. Sudden spikes indicate new attack campaigns or new detection rules generating alerts. Consistent decline indicates effective tuning.
Step 4: Panel 2 — Detection rule performance
Click Add → Add query
SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| extend RuleName = tostring(parse_json(tostring(AdditionalData)).alertProductNames)
| where isnotempty(RuleName)
| summarize
AlertCount = count(),
TP = countif(Classification == "TruePositive"),
FP = countif(Classification == "FalsePositive"),
BP = countif(Classification == "BenignPositive")
by RuleName
| extend FPRate = iff(AlertCount > 0, round(100.0 * FP / AlertCount, 1), 0.0)
| sort by FPRate descVisualization: Table. Title: "Detection Rule Performance." Rules at the top (highest FP rate) are your priority tuning targets.
Step 5: Panel 3 — SLA compliance
Click Add → Add query
SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| extend TriageMinutes = datetime_diff('minute', FirstModifiedTime, CreatedTime)
| extend SLATarget = case(
Severity == "High", 15,
Severity == "Medium", 30,
Severity == "Low", 240,
15)
| extend SLAMet = TriageMinutes <= SLATarget
| summarize
Total = count(),
Met = countif(SLAMet)
by Severity
| extend Compliance = round(100.0 * Met / Total, 1)Visualization: Bar chart. Title: "SLA Compliance by Severity."
Step 6: Panel 4 — Incident classification
Click Add → Add query
SecurityIncident
| where TimeGenerated > ago(30d)
| where Status == "Closed"
| summarize Count = count() by Classification
| render piechartVisualization: Pie chart. Title: "Incident Classification (30 days)."
If "Undetermined" dominates, analysts are closing incidents without classifying them — fix this process issue before trusting SNR metrics.
Step 7: Save and share
Save the workbook. Pin it to the SOC team's Sentinel favorites. If your team uses a shared display, set this workbook as the default view.
Verification checklist
- [ ] Workbook created with 4 panels
- [ ] Time range parameter controls all panels
- [ ] Alert volume trend shows daily data
- [ ] Detection rule performance table identifies tuning targets
- [ ] SLA compliance shows per-severity percentages
- [ ] Incident classification reveals data quality gaps
- [ ] Workbook saved and shared with SOC team