Microsoft Sentinel has evolved beyond a traditional SIEM into a unified, AI-ready security platform that brings data, analytics, intelligence, and automation together. At the core are Microsoft Sentinel data lake and Microsoft Sentinel graph: data lake enables long-term retention and high-scale analytics, and graph adds entity relationships to speed investigations. We have updated skilling to reflect these changes, so defenders can build the right hands-on skills faster.
1. Learn How to Run High‑Scale Searches with data lake: Search Jobs in Microsoft Sentinel
Unit: Use Search Jobs in Microsoft Sentinel
What learners will gain
This foundational data lake–aligned unit teaches defenders how to run scheduled and large-scale search jobs across massive volumes of security data. It demonstrates how Sentinel’s decoupled compute and storage architecture enables fast, cost-effective queries over long-term retained logs.
Practical example
Example scenario: Investigating a legacy compromised account
A SOC analyst receives a tip that an identity compromised 18 months ago may still be used for periodic access. With data lake–backed search jobs, they can run a query against multi-year sign‑in logs to uncover:
- When the account was last used
- What resources were accessed
- Whether anomalous sign-in patterns (e.g., impossible travel) appear
This type of long-term, high-volume search wasn’t feasible in traditional SIEM architectures.
2. Hunt Using Data Lake–Backed Search Jobs
Unit: Hunt with Search Jobs (Defender Portal tab)
What learners will gain
This unit teaches practitioners how to perform deep, data lake–powered threat hunts using the unified Defender portal. Learners apply KQL across long-term datasets to uncover attacker behaviors that unfold gradually or attempt to evade short retention windows.
Practical example
Example scenario: Detecting low‑and‑slow lateral movement
A threat actor has accessed an environment but only touches a machine once every few weeks, blending into normal activity.
Using data lake–powered search jobs, a hunter can:
- Query historical RDP or failed login events spanning 12–24 months
- Identify patterns of sporadic connections between key servers
- Highlight dormant periods and anomalies in connection timing
This enables detection of advanced persistent threat (APT) behavior that short-term analytics would miss.
3. Query Logs Across the Analytics & Data Lake Tiers
Unit: Query logs in Microsoft Sentinel
What learners will gain
Learners build skills in querying logs across Sentinel’s analytics and data lake tiers using KQL, gaining understanding of data architecture, table types, and best practices for summarization and visualization.
Practical example
Example scenario: Investigating abnormal OAuth app creation
A detection triggers on suspicious OAuth app usage.
An analyst uses log query skills learned in this module to:
- Query Azure activity logs to identify when the OAuth app was created
- Review audit logs to determine which identity performed the action
- Correlate multi‑month activity to check if the app has been used to read mail or exfiltrate data
This real-world workflow aligns directly with how data lake and analytics-tier logs work together.
4. Investigate Incidents with Graph-Enhanced Context
Unit: Investigate incidents
What learners will gain
This unit introduces the Incident Graph, powered by Microsoft Sentinel graph, which visually maps relationships across entities and alerts to accelerate investigations.
Practical example
Example scenario: Email compromise spreading to device malware
A SOC analyst is reviewing an incident where:
- A user clicked a phishing email
- The user’s device later showed anomalous registry changes
- Lateral movement signals appeared two days later
With graph-powered investigation, the analyst can see all signals connected as a single attack chain, enabling them to quickly determine:
- Where the attack originated
- Which devices and identities were affected
- How the attacker moved laterally
- Whether privilege escalation occurred
Graph compresses hours of manual correlation into minutes.
5. Explore Advanced Hunting with Graph Intelligence
Unit: Explore Advanced Hunting
What learners will gain
This unit shows how graph-enhanced Advanced Hunting queries unlock richer insights by enabling entity-aware pivoting across identity, endpoint, SaaS, and cloud signals.
Practical example
Example scenario: Identifying a compromised identity via graph pivots
A hunter suspects a specific user account has been compromised. Using graph‑powered hunting, they can:
- Query for all devices the user has logged into
- View all alerts connected to those devices
- Pivot into cloud app activity associated with the user
- Visualize relationships between the user, devices, and resources
This exposes an attack path that would otherwise require multiple disconnected queries.
Why These New Units Matter
These updated units get defenders ready for modern security operations: Data Lake enables high-scale, long-term analytics for multi-year investigations, while Graph adds context to reveal attack chains faster. Together, they provide unified data and structured relationships that Security Copilot relies on.
Start Learning Today
Microsoft Sentinel is moving quickly—make sure your SOC skills keep pace. Jump into the refreshed Microsoft Learn units to sharpen investigations with graph intelligence, unlock data lake–powered analytics at scale, and start applying AI-ready techniques immediately.
Microsoft