Microsoft Sentinel, a comprehensive cloud-native security information and event management (SIEM) solution, continues to evolve with new features and functionalities. To help security professionals stay up-to-date, Microsoft offers a Ninja Training program—a structured and in-depth journey into the platform’s capabilities.
October 2025: This Ninja training has been updated with the links to complete the knowledge test and claim your certificate
Introduction to the Sentinel Ninja Training
Microsoft Sentinel, a comprehensive cloud-native security information and event management (SIEM) solution, continues to evolve with new features and functionalities. To help security professionals stay up-to-date, Microsoft offers a Ninja Training program—a structured and in-depth journey into the platform’s capabilities.
This Ninja Training Blog explores the functions and features of Microsoft Sentinel. It’s structured by security roles, allowing you to focus on what’s most relevant to your needs. Alternatively, you can follow the entire blog from start to finish for a complete understanding of Microsoft Sentinel.
Our unified security operations platform bringing Microsoft Sentinel into the Defender XDR portal, unifies SIEM and XDR features to improve workflows, expedite incident response, and reduce tool switching. Is there any demo environment for customers to review
So, what exactly does this Microsoft Sentinel Ninja Training offer? Here's a breakdown:
1. Guided Experience with Official Documentation
The training kicks off by guiding participants through Microsoft’s extensive Sentinel documentation. This includes setup guides, use case scenarios, and integration tutorials, all aimed at empowering users to maximize their Sentinel deployments. It’s a hands-on approach, helping learners gain a deep understanding of the platform, step by step.
2. Interactive Training Modules
The Ninja training features well-designed, interactive modules that cover key topics such as threat detection, incident response, and automation with Sentinel. These modules provide an immersive experience, often including hands-on labs and real-world examples, allowing participants to sharpen and measure their skills as they progress with skill checks.
3. Access to Webinars and Blogs
In addition to formal training, the Ninja program provides access to exclusive webinars and blog posts from Microsoft experts. These resources are continuously updated, offering insights into Microsoft Sentinel’s latest features, security trends, and best practices. This dynamic content helps participants stay ahead of the curve in the ever-changing cybersecurity landscape.
Some guided experiences will require access to a Microsoft Sentinel environment, learn here how to activate a free trial.
Complete the modules to get Microsoft Learn achievements!
Think you're a true Sentinel Ninja? Take the knowledge check and find out.
If you pass the knowledge check with a score of over 80% you can request a certificate to prove your ninja skills!
- Take the knowledge check here.
- If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again.
Table of Contents
Security Operations Fundamentals
Introduction to Microsoft Sentinel
Microsoft Sentinel for Security Architects
Zero Trust
Architecting workspace and tenant
Migrating to Microsoft Sentinel
Data collection
Threat intelligence
Log management
ASIM and normalization
Log transformation
User and Entity Behavior Analytics (UEBA)
Copilot for Security Architects
Microsoft Sentinel for Security Engineers
Threat Intelligence
Watchlists
Creating content with KQL
Analytics
SOAR
Workbooks, reporting, and visualization
SOC Optimization
Microsoft Sentinel for Analyst
Threat detection / analytics rules
Incident response
Investigate incidents
Automate response
Attack Disruptions
KQL for Analyst
Hunt for threats
Hunt with KQL
Threat intelligence
Copilot for Security Analyst in the embedded experience
Security Operations Fundamentals
Introduction to Microsoft Sentinel in the unified security operations platform
Discover how the unified security operations platform can boost your team’s efficiency by integrating Microsoft Sentinel with Microsoft Defender XDR providing Extended Detection and Response (XDR). This innovation helps streamline operations by consolidating overlapping features, reducing interruptions, and enabling proactive detection and disruption of cyberattacks across both Microsoft and non-Microsoft products. Learn how you can achieve comprehensive protection with the industry’s broadest XDR capabilities and a SIEM that supports multi-cloud environments, business applications, the Internet of Things, operational technology, and various platforms.
- What is Microsoft Sentinel
- new! What is Microsoft's unified security operations platform
- new! What’s new in Microsoft Sentinel
-
new! New capabilities coming to Microsoft Sentinel this Spring | Microsoft Community Hub
- new! What's New in Microsoft Sentinel (April, 2025 / 57:35 mins)
- Unified Security Operations Platform - Technical FAQ!
Microsoft Sentinel for Security Architects
Welcome to the Microsoft Sentinel Training for Security Architects. In this module, you'll learn how to design and implement security solutions using Microsoft Sentinel's cloud-native SIEM capabilities. This training will help you enhance threat detection, automate response, and build resilient security architectures to safeguard your organization.
Zero Trust
- Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust
- What’s new: Microsoft Sentinel Zero Trust (TIC 3.0) Solution update - Azure Government
Architecting workspace and tenant
- Design a Log Analytics workspace architecture
-
new! Enhance resilience by replicating your Log Analytics workspace across regions
- Designing and configuring data access in a workspace
-
new! Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR: Microsoft Defender XDR Unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint and Defender for Identity tenants
- new! Multi-workspace for Multi-tenant is now in Public Preview in Microsoft's Unified SecOps Platform | Microsoft Community Hub
- new! Multi Workspace for Single tenant is now in Public Preview in Microsoft’s unified SecOps platform | Microsoft Community Hub
- new! Microsoft Sentinel Data tiering best practices (20:13 mins)
- new! Set up a table with the Auxiliary plan for low-cost data ingestion and retention in your Log Analytics workspace
- new! Aggregate Microsoft Sentinel data with summary rules
- Managing multiple Sentinel workspaces as MSSP - Protecting MSSP intellectual property in Microsoft Sentinel
- The Microsoft Sentinel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.
| Learning path | Skill check |
| Create and manage Microsoft Sentinel workspaces | Knowledge check |
Migrating to Microsoft Sentinel
- Deploying Microsoft Sentinel side-by-side to an existing SIEM.
- Plan your migration to Microsoft Sentinel
- Use the SIEM migration experience - Microsoft Sentinel
- Track your Microsoft Sentinel migration with a workbook
- new! Project Deployment Tracker Workbook
- Migrate ArcSight detection rules to Microsoft Sentinel
- Migrate Splunk detection rules to Microsoft Sentinel
- Migrate Splunk SOAR automation to Microsoft Sentinel
- Splunk to Microsoft Sentinel Migration Experience (30:40 mins)
- new! Latest support enhancements in the Microsoft Sentinel migration experience (24:06 mins)
Data collection
- Best practices for data collection
- Prioritize your data connectors
- Classifying data with entities
- Microsoft Sentinel data connectors
- Azure Monitor Agent
- Revolutionizing log collection with Azure Monitor Agent
-
new! Deep Dive: Moving from the Log Analytics Agent to the New Azure Monitor Agent
- Overview of Data collection rules (DCRs) in Azure Monitor
- Best practices for DCR creation and management in Azure Monitor
- Connect Microsoft Sentinel to Azure, Windows, and Microsoft services
- Use Azure Functions to connect Microsoft Sentinel to your data source
- Syslog and CEF AMA connectors - Microsoft Sentinel
- CEF via AMA connector - Configure appliances and devices
- Stream and filter Windows DNS logs with the AMA connector
- Use Logstash to stream logs with pipeline transformations via DCR-based API
3rd party integrations
- Microsoft Sentinel data connector gallery
- Resources for creating Microsoft Sentinel custom connectors
- Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
- Codeless Connector Platform: Create Your Data Connector in Microsoft Sentinel (35:04 mins)
- Create Codeless Connectors with the Codeless Connector Builder
- new! For ISV: Building Microsoft Sentinel Integrations - Part 1: Onboarding
-
new! Building Microsoft Sentinel Integrations - Part 2: Creating Data Connectors
- Find your Microsoft Sentinel data connector
Threat intelligence
- Understand threat intelligence - Microsoft Sentinel
- Threat intelligence integration in Microsoft Sentinel
Log management
- Roles and permissions recommendations by security role
- Log collection and retention to have a comprehensive security coverage and minimize costs incurred by data ingestion
- Understanding plan costs and Microsoft Sentinel pricing and billing
- Comprehensive coverage and cost-savings with Microsoft Sentinel’s new data tier
- Geographical availability and data residency
- Configure interactive and long-term data retention in Microsoft Sentinel
ASIM and normalization
- Normalization and the Advanced Security Information Model (ASIM)
- Advanced Security Information Model (ASIM) schemas
- Microsoft Sentinel Advanced Security Information Model (ASIM) parsers overview
- Use Advanced Security Information Model (ASIM) parsers
- Develop Microsoft Sentinel Advanced Security Information Model (ASIM) parsers
- Manage Advanced Security Information Model (ASIM) parsers
- Modify content to use the Microsoft Sentinel Advanced Security Information Model (ASIM)
Log transformation
- Transform or customize data at ingestion time in Microsoft Sentinel (preview)
- Ingest time normalization
- Data collection transformations in Azure Monitor
- Transforming Data at Ingestion Time in Microsoft Sentinel (51:22 mins)
- Aggregate Microsoft Sentinel data with summary rules
User and Entity Behavior Analytics (UEBA)
- Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
- Microsoft Sentinel UEBA reference
- Microsoft Sentinel entity types reference
- Anomalies detected by the Microsoft Sentinel machine learning engine
- Enable entity behavior analytics to detect advanced threats
| Learning path | Skill check |
| Identify threats with Behavioral Analytics | Knowledge check |
Copilot for Security Architects
- Integrate Microsoft Sentinel with Copilot for Security
- Integrate Microsoft Sentinel with Copilot for Security in advanced hunting
- Improve your Microsoft Sentinel prompts
- New Defender XDR Copilot for Security Capabilities (23:01 mins)
| Learning path | Skill check |
| Describe Microsoft Copilot for Security - Training | Knowledge check - Training |
Microsoft Sentinel for Security Engineers
Welcome to the Microsoft Sentinel Training for Security Engineers. In this module, you'll learn how to configure, monitor, and manage security using Microsoft Sentinel's cloud-native SIEM. This training will help you enhance threat detection, automate responses, and ensure effective security operations across your environment.
new! Data collection
- new! What to do if your Sentinel Data Connector shows as [DEPRECATED] | Microsoft Community Hub
- new! Find the Sentinel content you need using AI search | Microsoft Community Hub & documentation: Discover and deploy Microsoft Sentinel out-of-the-box content from Content hub
Some of the new or updated data connectors that were recently released:
- new! What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024 | Microsoft Community Hub
- new! Ingesting Palo Alto Cortex XDR Logs into Microsoft Sentinel with the Updated CCP Connector | Microsoft Community Hub
- new! Ingesting Akamai Audit Logs into Microsoft Sentinel using Azure Function Apps | Microsoft Community Hub
- new! Automating Azure Resource Diagnostics Log Forwarding Between Tenants with PowerShell | Microsoft Community Hub
- new! Integrating Fluent Bit with Microsoft Sentinel | Microsoft Community Hub
- new! Integrating Radware WAF Logs with Microsoft Sentinel Using Logic Apps | Microsoft Community Hub
- new! Connect Microsoft Sentinel to Amazon Web Services to ingest AWS WAF logs | Microsoft Learn
- new! Go agentless with Microsoft Sentinel Solution for SAP | Microsoft Community Hub & What's new in Microsoft Sentinel | Microsoft Learn
- new! Google Cloud Platform data connectors
- new! VMware Carbon Black Cloud
- new! Okta
- new! Sophos Endpoint Protection
- new! Workday
- new! Unified Microsoft Sentinel solution for Microsoft Business Apps
- new! S3-based data connector for Amazon Web Services WAF logs
- new! Box
- new! Auth0
- new! SentinelOne
- new! Palo Alto Cortex XDR
new! Manage Sentinel-as-Code
- new! Microsoft Sentinel Repositories: Manage Your SIEM Content Like a Pro (56:46 mins)
- new! Deploy Microsoft Sentinel using Bicep | Microsoft Community Hub
- new! Bicep Support in Microsoft Sentinel Repositories | Microsoft Community Hub & Manage custom content with repository connections
- new! Import and export Microsoft Sentinel automation rules
- Deploying and Managing Microsoft Sentinel as Code | Microsoft Community Hub
- Manage Microsoft Sentinel content as code from a source control repository
Threat Intelligence
- Understand threat intelligence in Microsoft Sentinel
- Threat intelligence integration in Microsoft Sentinel
- Connect your threat intelligence platform - Microsoft Sentinel
- Use threat indicators in analytics rules - Microsoft Sentinel
- Use matching analytics to detect threats - Microsoft Sentinel
- View MITRE coverage for your organization from Microsoft Sentinel
- Enable data connector for Microsoft's threat intelligence - Microsoft Defender Threat Intelligence
- Connect your TIP with upload indicators API - Microsoft Sentinel
- new! Import threat intelligence with the upload API - Microsoft Sentinel | Microsoft Learn
- Connect to STIX/TAXII threat intelligence feeds - Microsoft Sentinel
- new! In addition to Indicators of Compromise (IoCs), Microsoft Sentinel now supports Threat Actors, Attack Patterns, Identities, and Relationships: Announcing Public Preview: New STIX Objects in Microsoft Sentinel | Microsoft Community Hub & What's new in Microsoft Sentinel
- new! Introducing Threat Intelligence Ingestion Rules | Microsoft Community Hub & documentation to configure the ingestion rules: Threat intelligence - Microsoft Sentinel | Microsoft Learn
- Add indicators in bulk to threat intelligence by file - Microsoft Sentinel
| Learning path |
Skill check |
| Connect threat indicators to Microsoft Sentinel - Training | Knowledge check - Training |
Watchlists
- Watchlists in Microsoft Sentinel - Microsoft Sentinel
- Use Watchlist to Manage Alerts, Reduce Alert Fatigue, and Improve SOC Efficiency (44:27 mins)
Creating content with KQL
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto | Microsoft Learn
- Create custom hunting queries in Microsoft Sentinel - Microsoft Sentinel | Microsoft Learn
- Use bookmarks to keep track of data during hunting
- Use hunting livestream to create interactive sessions
- Jupyter notebooks with Microsoft Sentinel hunting capabilities
| KQL Learning Paths | Each module has a skill check |
| Analyze monitoring data with Kusto Query Language - Training | Microsoft Learn | 6 modules |
| Data analysis in Azure Data Explorer with Kusto Query Language - Training | Microsoft Learn | 7 modules |
| Data analysis with Kusto Query Language - Training | Microsoft Learn | 4 modules |
Analytics
- Threat detection in Microsoft Sentinel.
- Scheduled analytics rules in Microsoft Sentinel
- Quick threat detection with near-real-time (NRT) analytics rules in Microsoft Sentinel
- Use customizable anomalies to detect threats in Microsoft Sentinel
- Advanced multistage attack detection in Microsoft Sentinel
- Create incidents from alerts in Microsoft Sentinel
- Handle ingestion delay in Microsoft Sentinel
- Get fine-tuning recommendations for your analytics rules in Microsoft Sentinel
SOAR
- Automate threat response in Microsoft Sentinel with automation rules | Microsoft Learn
- Create incident tasks in Microsoft Sentinel using automation rules | Microsoft Learn
- Automate threat response with playbooks in Microsoft Sentinel | Microsoft Learn
- Use a Microsoft Sentinel playbook to stop potentially compromised users
- Threat response with Microsoft Sentinel playbooks - Training | Microsoft Learn
- Playbook folder in Microsoft Sentinel GitHub
Workbooks, reporting, and visualization
- Visualize your data using workbooks in Microsoft Sentinel
- new! What's New: View Microsoft Sentinel Workbooks Directly from unified SOC operations platform | Microsoft Community Hub
- new! Introducing the Use Cases Mapper workbook | Microsoft Community Hub
- Query, visualize, and monitor data in Microsoft Sentinel
- Commonly used Microsoft Sentinel workbooks
SOC Optimization
- Handle false positives in Microsoft Sentinel
- Threat detection with Microsoft Sentinel analytics
- Optimizing your SOC's threat coverage and data value (20:16 mins)
- Optimizing Your Security Operations: Manage Your Data, Costs and Protections with SOC Optimizations (41:21 mins)
-
new! Introducing SOC Optimization Recommendations Based on Similar Organizations | Microsoft Community Hub & SOC optimization reference
-
new! SOC optimization updates for unified coverage management & Unified coverage management across SIEM and XDR in SOC optimization | Microsoft Community Hub
Microsoft Sentinel for Analyst
Welcome to the Microsoft Sentinel Training for Security Analysts. In this module, you'll learn how to use Microsoft Sentinel for monitoring, detecting, and investigating security threats in real-time. This training will help you streamline incident analysis, improve threat hunting, and enhance your organization's security posture through effective use of Sentinel’s tools and capabilities.
new! Case Management
- new! Manage cases natively in Microsoft's unified SecOps platform - Microsoft's unified security operations platform
- new! Case Management is now Generally Available | Microsoft Community Hub
- new! Improve SecOps collaboration with case management | Microsoft Community Hub
Threat detection / analytics rules
- Threat detection in Microsoft Sentinel
- Create scheduled analytics rules from templates in Microsoft Sentinel
- Create scheduled analytics rules in Microsoft Sentinel
- Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel
- Work with anomaly detection analytics rules in Microsoft Sentinel
- new! How to successfully evaluate the SAP for Sentinel solution and implement it in production (Part 1) | Microsoft Community Hub
- new! How to successfully evaluate the SAP for Sentinel solution and implement it in production (Part 2) | Microsoft Community Hub
| Learning path | Skill check |
| Threat detection with Microsoft Sentinel analytics - Training | At the bottom of the relevant pages |
Incident response
- Prioritize incidents in the Microsoft Defender portal - Microsoft Defender XDR
- Incident response in the Microsoft Defender portal - Microsoft Defender XDR
- Manage incidents in Microsoft Defender - Microsoft Defender XDR
Investigate incidents
- Navigate and investigate incidents in Microsoft Sentinel
- Investigate and respond with Microsoft Defender XDR - Microsoft Defender XDR
- Alerts, incidents, and correlation in Microsoft Defender XDR - Microsoft Defender XDR
- Cybersecurity Incident Correlation in the Microsoft unified security operations platform
- Entity pages in Microsoft Sentinel
- Customize activities on Microsoft Sentinel entity timelines
- User entity page in the Microsoft Defender portal - Microsoft Defender XDR
- Device entity page in Microsoft Defender - Microsoft Defender XDR
- IP address entity page in Microsoft Defender - Microsoft Defender XDR
- Start an investigation by searching large datasets - Microsoft Sentinel
- Search across long time spans in large datasets - Microsoft Sentinel
- Restore archived logs from search - Microsoft Sentinel
- new! Attack path on top of the incident graph: Investigate incidents in the Microsoft Defender portal - Microsoft Defender XDR
- new! Introducing the Unified Device Timeline Experience in Microsoft SIEM + XDR | Microsoft Community Hub & What's new in the Microsoft's unified SecOps platform
- new! Leveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios | Microsoft Community Hub
Automate response
- Automation in Microsoft Sentinel
- Use a Microsoft Sentinel playbook to stop potentially compromised users
Attack Disruptions
- Attack Disruption Explained (16:40 mins)
- Specific example: SAP applications security and automatic attack disruption (23:08 mins)
- Automatic attack disruption for SAP
- new! AMA (Ask Me Anything) - Automatic Attack Disruption
- new! Attack Disruption: Live Demo
- new! New automatic OOTB disruption will containing devices, disabling user accounts, or disabling malicious OAuth apps: Defending Against OAuth-Based Attacks with Automatic Attack Disruption | Microsoft Community Hub
- new! You can now add IP address/IP range/IP subnet you want to exclude from automated response in attack disruption: Exclude assets from automated response in attack disruption - Microsoft Defender XDR | Microsoft Learn
KQL for Analyst
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto
- KQL quick reference - Kusto
- SQL to Kusto query translation - Kusto
- Advanced KQL Framework Workbook: improve your KQL proficiency by taking a use-case driven approach
- Azure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example - Microsoft Community Hub
- Azure Sentinel correlation rules: the join KQL operator - Microsoft Community Hub
- Implementing Lookups in Azure Sentinel - Microsoft Community Hub
- Approximate, partial and combined lookups in Azure Sentinel - Microsoft Community Hub
- rod-trent/MustLearnKQL: Code included as part of the MustLearnKQL blog series (github.com)
- https://aka.ms/LADemo
- new! Empowering Security Copilot with NL2KQL: Transforming Natural Language into Insightful KQL queries | Microsoft Community Hub
- new! KQL Migrator powered by Microsoft Security Copilot | Microsoft Community Hub
Hunt for threats
- Advanced hunting in Microsoft Defender - Microsoft Defender XDR
- Hunting capabilities in Microsoft Sentinel
- Conduct end-to-end threat hunting with Hunts - Microsoft Sentinel
- Create custom hunting queries in Microsoft Sentinel
- Hunt with bookmarks in Microsoft Sentinel
- Detect threats by using hunting livestream in Microsoft Sentinel
- Jupyter notebooks with Microsoft Sentinel hunting capabilities
- Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel
- Hunt for security threats with Jupyter notebooks - Microsoft Sentinel
- Advanced configurations for Jupyter notebooks and MSTICPy in Microsoft Sentinel
Hunt with KQL
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto
- KQL quick reference - Kusto
- SQL to Kusto query translation - Kusto
Threat intelligence
-
new! Threat intelligence management interface has moved: What's new in Microsoft Sentinel
- Work with threat indicators - Microsoft Sentinel
- View aggregated data from the Overview
Copilot for Security Analyst (mostly from the embedded experience)
- Investigate Microsoft Sentinel incidents in Copilot for Security
- Security Copilot for SOC analysts - boosting efficiency and expertise in Microsoft Defender XDR (38:37 mins)
- New Defender XDR Copilot for Security Capabilities (23:01 mins)
- Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR
- Describe the embedded experiences of Microsoft Copilot in Microsoft Defender XDR
- new! Summarize identity information with Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn
- new! Microsoft Copilot for Security Skilling Series: Say Hello to Microsoft Copilot for Security (87:54 mins)
- new! Security Copilot: A game changer for modern SOC | Microsoft Community Hub
- new! What’s new in Microsoft Defender XDR at Secure 2025 | Microsoft Community Hub
- new! Microsoft Copilot for Security Skilling Series: Effectively Leveraging Threat Intelligence Skills (73:11 mins)
- new! Monitor User Activities and System Events with Security Copilot and Microsoft Sentinel | Microsoft Community Hub
- new! Microsoft Copilot for Security | Security Copilot AMA (56:11 mins)
We sincerely hope you found this content helpful in navigating and prioritizing the vast array of information available on Microsoft Sentinel. We encourage you to suggest new topics and subscribe to this blog for regular updates as we continue to refine and expand our content.
Microsoft
