added examples, consolidating table

batamig · batamig · commit 92265b05a1c5 · 2025-02-16T14:36:12.000+02:00
diff --git a/articles/sentinel/resources.md b/articles/sentinel/resources.md
@@ -13,41 +13,32 @@ ms.author: bagol
 
 # Compare workbooks, playbooks, and notebooks
 
-Workbooks, playbooks, and notebooks are key resources in Microsoft Sentinel that help you automate responses, visualize data, and analyze data, respectively. Sometimes it can be challenging to track which type of resource is right for your task.
+Workbooks, playbooks, and notebooks are key resources in Microsoft Sentinel that help you automate responses, visualize data, and analyze data, respectively. Sometimes it can be challenging to track which type of resource is right for your task. This article helps to differentiate between workbooks, playbooks, and notebooks in Microsoft Sentinel.
 
-This article helps to differentiate between workbooks, playbooks, and notebooks in Microsoft Sentinel:
+## Basic differences
 
-- After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using [workbooks in Microsoft Sentinel](monitor-your-data.md). Microsoft Sentinel workbooks are based on [Azure Monitor workbooks](/azure/azure-monitor/visualize/workbooks-overview), and add tables and charts with analytics for your logs and queries to the tools already available in Azure.
-- [Jupyter notebooks in Microsoft Sentinel](notebooks.md) are a powerful tool for security investigations and hunting, providing full programmability with a huge collection of libraries for machine learning, visualization, and data analysis. While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data.
-- Use [Microsoft Sentinel playbooks](automate-responses-with-playbooks.md) to run preconfigured sets of remediation actions to help automate and orchestrate your threat response.
-
-## Compare by persona
+Basic guidance for when to use each resource includes:
 
-The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by the user persona:
+- After you connect your data sources to Microsoft Sentinel, visualize and monitor the data using [workbooks in Microsoft Sentinel](monitor-your-data.md). Microsoft Sentinel workbooks are based on [Azure Monitor workbooks](/azure/azure-monitor/visualize/workbooks-overview), and add tables and charts with analytics for your logs and queries to the tools already available in Azure.
 
-|Resource  |Description  |
-|---------|---------|
-|**[Workbooks](monitor-your-data.md)**     |  <ul><li> SOC engineers</li><li>Analysts of all tiers</li></ul>          |
-|**[Notebooks](notebooks.md)**     |  <ul><li>Threat hunters and Tier-2/Tier-3 analysts</li><li>Incident investigators</li><li>Data scientists</li><li>Security researchers</li></ul>        |
-|**[Playbooks](automate-responses-with-playbooks.md)**     |  <ul><li>SOC engineers</li><li>Analysts of all tiers</li></ul>          |
+- [Jupyter notebooks in Microsoft Sentinel](notebooks.md) are a powerful tool for security investigations and hunting, providing full programmability with a huge collection of libraries for machine learning, visualization, and data analysis. While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data.
 
-## Compare by use
+- Use [Microsoft Sentinel playbooks](automate-responses-with-playbooks.md) to run preconfigured sets of remediation actions to help automate and orchestrate your threat response.
 
-The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by use case:
+## Compare by persona, use, advantages, and challenges
 
-|Resource  |Description  |
-|---------|---------|
-|**[Playbooks](automate-responses-with-playbooks.md)**     |   Automation of simple, repeatable tasks:<ul><li>Ingesting external data </li><li>Data enrichment with TI, GeoIP lookups, and more </li><li> Investigation </li><li>Remediation </li></ul>       |
-|**[Notebooks](notebooks.md)**     | <ul><li>Querying Microsoft Sentinel data and external data </li><li>Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more </li><li> Investigation </li><li> Visualization </li><li> Hunting </li><li>Machine learning and big data analytics </li></ul>         |
-|**[Workbooks](monitor-your-data.md)**     | <ul><li>Visualization</li></ul>          |
+The following table compares Microsoft Sentinel playbooks, workbooks, and notebooks by the user persona, use, advantages, and challenges:
 
+|Resource  |Persona  | Use and examples | Advantages  | Challenges |
+|---------|---------|---------|---------|---------|
+|**[Workbooks](monitor-your-data.md)**     |  <ul><li> SOC engineers</li><li>Analysts of all tiers</li></ul>          | <ul><li>Visualize and monitor data. For example, creating interactive reports and dashboards to analyze security data, such as to display trends and patterns in security alerts.</li></ul>          | <ul><li>Best for a high-level view of Microsoft Sentinel data </li><li>No coding knowledge required</li></ul>       | <ul><li>Can't integrate with external data </li></ul>    |
+|**[Notebooks](notebooks.md)**     |  <ul><li>Threat hunters and Tier-2/Tier-3 analysts</li><li>Incident investigators</li><li>Data scientists</li><li>Security researchers</li></ul>        |<ul><li>Perform advanced data analysis and investigations. </li><li>Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more </li><li> Investigation </li><li> Visualization </li><li> Hunting </li><li>Machine learning and big data analytics </li></ul> For example, analyzing large datasets to identify anomalies or potential threats.         | <ul><li>Best for complex chains of repeatable tasks </li><li>Ad-hoc, more procedural control</li><li>Easier to pivot with interactive functionality </li><li>Rich Python libraries for data manipulation and visualization </li><li>Machine learning and custom analysis </li><li>Easy to document and share analysis evidence </li></ul>        |   <ul><li> High learning curve and requires coding knowledge </li></ul>   |
+|**[Playbooks](automate-responses-with-playbooks.md)**     |  <ul><li>SOC engineers</li><li>Analysts of all tiers</li></ul>          |  Automation of simple, repeatable tasks:<ul><li>Ingesting external data </li><li>Data enrichment with TI, GeoIP lookups, and more </li><li> Investigation </li><li>Remediation </li></ul> For example, running preconfigured remediation actions to automatically isolate a compromised device.      |   <ul><li> Best for single, repeatable tasks </li><li>No coding knowledge required  </li></ul>      |    <ul><li>Not suitable for ad-hoc and complex chains of tasks </li><li>Not ideal for documenting and sharing evidence</li></ul>     | 
 
-## Compare by advantages and challenges
+## Related content
 
-The following table compares the advantages and disadvantages of playbooks, workbooks, and notebooks in Microsoft Sentinel:
+For more information, see:
 
-|Resource  |Advantages  | Challenges |
-|---------|---------|---------|
-|**[Playbooks](automate-responses-with-playbooks.md)**     |   <ul><li> Best for single, repeatable tasks </li><li>No coding knowledge required  </li></ul>      |    <ul><li>Not suitable for ad-hoc and complex chains of tasks </li><li>Not ideal for documenting and sharing evidence</li></ul>     | 
-|**[Notebooks](notebooks.md)**     |    <ul><li>Best for complex chains of repeatable tasks </li><li>Ad-hoc, more procedural control</li><li>Easier to pivot with interactive functionality </li><li>Rich Python libraries for data manipulation and visualization </li><li>Machine learning and custom analysis </li><li>Easy to document and share analysis evidence </li></ul>        |   <ul><li> High learning curve and requires coding knowledge </li></ul>   |
-|**[Workbooks](monitor-your-data.md)**     |   <ul><li>Best for a high-level view of Microsoft Sentinel data </li><li>No coding knowledge required</li></ul>       | <ul><li>Can't integrate with external data </li></ul>    |
+- [Visualize and monitor your data by using workbooks in Microsoft Sentinel](monitor-your-data.md)
+- [Jupyter notebooks with Microsoft Sentinel hunting capabilities](notebooks.md)
+- [Automate threat response with playbooks in Microsoft Sentinel](automation/automate-responses-with-playbooks.md)
