October 2024: This Ninja training has been updated
Introduction to the Sentinel Ninja Training
Microsoft Sentinel, a comprehensive cloud-native security information and event management (SIEM) solution, continues to evolve with new features and functionalities. To help security professionals stay up-to-date, Microsoft offers a Ninja Training program—a structured and in-depth journey into the platform’s capabilities.
This Ninja Training Blog explores the functions and features of Microsoft Sentinel. It’s structured by security roles, allowing you to focus on what’s most relevant to your needs. Alternatively, you can follow the entire blog from start to finish for a complete understanding of Microsoft Sentinel.
Our Unified Security Operation Platform bringing Microsoft Sentinel into the Defender XDR portal, unifies SIEM and XDR features to improve workflows, expedite incident response, and reduce tool switching. Is there any demo environment for customers to review
So, what exactly does this Microsoft Sentinel Ninja Training offer? Here's a breakdown:
1. Guided Experience with Official Documentation
The training kicks off by guiding participants through Microsoft’s extensive Sentinel documentation. This includes setup guides, use case scenarios, and integration tutorials, all aimed at empowering users to maximize their Sentinel deployments. It’s a hands-on approach, helping learners gain a deep understanding of the platform, step by step.
2. Interactive Training Modules
The Ninja training features well-designed, interactive modules that cover key topics such as threat detection, incident response, and automation with Sentinel. These modules provide an immersive experience, often including hands-on labs and real-world examples, allowing participants to sharpen and measure their skills as they progress with skill checks.
3. Access to Webinars and Blogs
In addition to formal training, the Ninja program provides access to exclusive webinars and blog posts from Microsoft experts. These resources are continuously updated, offering insights into Microsoft Sentinel’s latest features, security trends, and best practices. This dynamic content helps participants stay ahead of the curve in the ever-changing cybersecurity landscape.
Some guided experiences will require access to a Microsoft Sentinel environment, learn here how to activate a free trial.
Complete the modules to get Microsoft Learn achievements!
Table of Contents
Security Operations Fundamentals
Introduction to Microsoft Sentinel
Microsoft Sentinel for Security Architects
Zero Trust
Architecting workspace and tenant
Migrating to Microsoft Sentinel
Data collection
Threat intelligence
Log management
ASIM and normalization
Log transformation
User and Entity Behavior Analytics (UEBA)
Copilot for Security Architects
Microsoft Sentinel for Security Engineers
Threat Intelligence
Watchlists
Creating content with KQL
Analytics
SOAR
Workbooks, reporting, and visualization
SOC Optimization
Microsoft Sentinel for Analyst
Threat detection / analytics rules
Incident response
Investigate incidents
Automate response
Attack Disruptions
KQL for Analyst
Hunt for threats
Threat intelligence
Copilot for Security Analyst in the embedded experience
Security Operations Fundamentals
Introduction to Microsoft Sentinel
Discover how the Unified Security Operation Platform can boost your team’s efficiency by integrating Microsoft Sentinel with Microsoft Defender XDR providing Extended Detection and Response (XDR). This innovation helps streamline operations by consolidating overlapping features, reducing interruptions, and enabling proactive detection and disruption of cyberattacks across both Microsoft and non-Microsoft products. Learn how you can achieve comprehensive protection with the industry’s broadest XDR capabilities and a SIEM that supports multi-cloud environments, business applications, the Internet of Things, operational technology, and various platforms.
- What is Microsoft Sentinel
- What’s new in Microsoft Sentinel
- What's New in Microsoft Sentinel (August, 2024) (61:09 mins)
- Unifying XDR + SIEM: A new era in SecOps (39:55 mins)
- Unifying SIEM & XDR: a new era in SecOps (18:22 mins)
- Unified Security Operations Platform - Technical FAQ!
Microsoft Sentinel for Security Architects
Welcome to the Microsoft Sentinel Training for Security Architects. In this module, you'll learn how to design and implement security solutions using Microsoft Sentinel's cloud-native SIEM capabilities. This training will help you enhance threat detection, automate response, and build resilient security architectures to safeguard your organization.
Zero Trust
- Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust
- What’s new: Microsoft Sentinel Zero Trust (TIC 3.0) Solution update - Azure Government
- Zero Trust demo video in Microsoft Sentinel (31:12 mins)
Architecting workspace and tenant
- Design a Log Analytics workspace architecture
- Designing and configuring data access in a workspace
- Manage Microsoft Sentinel content as code from a source control repository
- Deploying and Managing and deploying Sentinel as code
- Set up multiple workspaces and tenants in Microsoft Sentinel
- Managing multiple Sentinel workspaces as MSSP - Protecting MSSP intellectual property in Microsoft Sentinel
- The Microsoft Sentinel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.
- Multi-tenancy in the unified security operations platform experience in Public Preview
Learning path | Skill check |
Create and manage Microsoft Sentinel workspaces | Knowledge check |
Migrating to Microsoft Sentinel
- Deploying Microsoft Sentinel side-by-side to an existing SIEM.
- Plan your migration to Microsoft Sentinel
- Use the SIEM migration experience - Microsoft Sentinel
- Track your Microsoft Sentinel migration with a workbook
- Migrate ArcSight detection rules to Microsoft Sentinel
- Migrate Splunk detection rules to Microsoft Sentinel
- Migrate Splunk SOAR automation to Microsoft Sentinel
- Splunk to Microsoft Sentinel Migration Experience (30:40 mins)
Data collection
- Best practices for data collection
- Prioritize your data connectors
- Classifying data with entities
- Microsoft Sentinel data connectors
- Azure Monitor Agent
- Revolutionizing log collection with Azure Monitor Agent
- Overview of Data collection rules (DCRs) in Azure Monitor
- Best practices for DCR creation and management in Azure Monitor
- Connect Microsoft Sentinel to Azure, Windows, and Microsoft services
- Use Azure Functions to connect Microsoft Sentinel to your data source
- Syslog and CEF AMA connectors - Microsoft Sentinel
- CEF via AMA connector - Configure appliances and devices
- Stream and filter Windows DNS logs with the AMA connector
- Use Logstash to stream logs with pipeline transformations via DCR-based API
3rd party integrations
- Microsoft Sentinel data connector gallery
- Resources for creating Microsoft Sentinel custom connectors
- Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
- Codeless Connector Platform: Create Your Data Connector in Microsoft Sentinel (35:04 mins)
- Create Codeless Connectors with the Codeless Connector Builder
- Find your Microsoft Sentinel data connector
Threat intelligence
- Understand threat intelligence - Microsoft Sentinel
- Threat intelligence integration in Microsoft Sentinel
- Enable data connector for Microsoft's threat intelligence - Microsoft Defender Threat Intelligence
- Connect your TIP with upload indicators API - Microsoft Sentinel
- Connect your threat intelligence platform - Microsoft Sentinel
- Connect to STIX/TAXII threat intelligence feeds - Microsoft Sentinel
- Add indicators in bulk to threat intelligence by file - Microsoft Sentinel
Learning path | Skill check |
Connect threat indicators to Microsoft Sentinel - Training | Knowledge check - Training |
Utilize threat intelligence in Microsoft Sentinel - Training | Knowledge check - Training |
Log management
- Roles and permissions recommendations by security role
- Log collection and retention to have a comprehensive security coverage and minimize costs incurred by data ingestion
- Understanding plan costs and Microsoft Sentinel pricing and billing
- Comprehensive coverage and cost-savings with Microsoft Sentinel’s new data tier
- Geographical availability and data residency
- Configure interactive and long-term data retention in Microsoft Sentinel
ASIM and normalization
- Normalization and the Advanced Security Information Model (ASIM)
- Advanced Security Information Model (ASIM) schemas
- Microsoft Sentinel Advanced Security Information Model (ASIM) parsers overview
- Use Advanced Security Information Model (ASIM) parsers
- Develop Microsoft Sentinel Advanced Security Information Model (ASIM) parsers
- Manage Advanced Security Information Model (ASIM) parsers
- Modify content to use the Microsoft Sentinel Advanced Security Information Model (ASIM)
Log transformation
- Transform or customize data at ingestion time in Microsoft Sentinel (preview)
- Ingest time normalization
- Data collection transformations in Azure Monitor
- Transforming Data at Ingestion Time in Microsoft Sentinel (51:22 mins)
- Aggregate Microsoft Sentinel data with summary rules
User and Entity Behavior Analytics (UEBA)
- Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
- Microsoft Sentinel UEBA reference
- Microsoft Sentinel entity types reference
- Anomalies detected by the Microsoft Sentinel machine learning engine
- Enable entity behavior analytics to detect advanced threats
Learning path | Skill check |
Identify threats with Behavioral Analytics | Knowledge check |
Copilot for Security Architects
- Integrate Microsoft Sentinel with Copilot for Security
- Integrate Microsoft Sentinel with Copilot for Security in advanced hunting
- Improve your Microsoft Sentinel prompts
- New Defender XDR Copilot for Security Capabilities (23:01 mins)
Learning path | Skill check |
Describe Microsoft Copilot for Security - Training | Knowledge check - Training |
Microsoft Sentinel for Security Engineers
Welcome to the Microsoft Sentinel Training for Security Engineers. In this module, you'll learn how to configure, monitor, and manage security using Microsoft Sentinel's cloud-native SIEM. This training will help you enhance threat detection, automate responses, and ensure effective security operations across your environment.
Threat Intelligence
- Understand threat intelligence in Microsoft Sentinel
- Threat intelligence integration in Microsoft Sentinel
- Connect your threat intelligence platform - Microsoft Sentinel
- Use threat indicators in analytics rules - Microsoft Sentinel
- Use matching analytics to detect threats - Microsoft Sentinel
- View MITRE coverage for your organization from Microsoft Sentinel
Learning path |
Skill check |
Connect threat indicators to Microsoft Sentinel - Training | Knowledge check - Training |
Watchlists
- Watchlists in Microsoft Sentinel - Microsoft Sentinel
- Use Watchlist to Manage Alerts, Reduce Alert Fatigue, and Improve SOC Efficiency (44:27 mins)
Learning path | Skill check |
Use watchlists in Microsoft Sentinel - Training | Microsoft Learn | Knowledge check - Training | Microsoft Learn |
Creating content with KQL
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto | Microsoft Learn
- Create custom hunting queries in Microsoft Sentinel - Microsoft Sentinel | Microsoft Learn
- Use bookmarks to keep track of data during hunting
- Use hunting livestream to create interactive sessions
- Jupyter notebooks with Microsoft Sentinel hunting capabilities
KQL Learning Paths | Each module has a skill check |
Analyze monitoring data with Kusto Query Language - Training | Microsoft Learn | 6 modules |
Data analysis in Azure Data Explorer with Kusto Query Language - Training | Microsoft Learn | 7 modules |
Data analysis with Kusto Query Language - Training | Microsoft Learn | 4 modules |
Analytics
- Threat detection rules that run regularly, querying the collected data and analyzing it to discover threats.
- Scheduled analytics rules in Microsoft Sentinel
- Quick threat detection with near-real-time (NRT) analytics rules in Microsoft Sentinel
- Use customizable anomalies to detect threats in Microsoft Sentinel
- Advanced multistage attack detection in Microsoft Sentinel
- Create incidents from alerts in Microsoft Sentinel
- Handle ingestion delay in Microsoft Sentinel
- Get fine-tuning recommendations for your analytics rules in Microsoft Sentinel
Learning path |
Guided experience |
Threat hunting with Microsoft Sentinel - Training | Microsoft Learn |
Exercise - Hunt for threats by using Microsoft Sentinel - Training | Microsoft Learn |
SOAR
- Automate threat response in Microsoft Sentinel with automation rules | Microsoft Learn
- Create incident tasks in Microsoft Sentinel using automation rules | Microsoft Learn
- Automate threat response with playbooks in Microsoft Sentinel | Microsoft Learn
- Use a Microsoft Sentinel playbook to stop potentially compromised users
- Threat response with Microsoft Sentinel playbooks - Training | Microsoft Learn
- Playbook folder in Microsoft Sentinel GitHub
Workbooks, reporting, and visualization
- Visualize your data using workbooks in Microsoft Sentinel
- Query, visualize, and monitor data in Microsoft Sentinel
- Commonly used Microsoft Sentinel workbooks
Learning path |
Visualize data combined from multiple data sources by using Azure Monitor Workbooks - Training | Microsoft Learn |
SOC Optimization
- Handle false positives in Microsoft Sentinel
- Threat detection with Microsoft Sentinel analytics
- Optimizing your SOC's threat coverage and data value (20:16 mins)
- Optimizing Your Security Operations: Manage Your Data, Costs and Protections with SOC Optimizations (41:21 mins)
Microsoft Sentinel for Analyst
Welcome to the Microsoft Sentinel Training for Security Analysts. In this module, you'll learn how to use Microsoft Sentinel for monitoring, detecting, and investigating security threats in real-time. This training will help you streamline incident analysis, improve threat hunting, and enhance your organization's security posture through effective use of Sentinel’s tools and capabilities.
Threat detection / analytics rules
- Threat detection in Microsoft Sentinel
- Create scheduled analytics rules from templates in Microsoft Sentinel
- Create scheduled analytics rules in Microsoft Sentinel
- Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel
- Work with anomaly detection analytics rules in Microsoft Sentinel
Learning path | Skill check |
Threat detection with Microsoft Sentinel analytics - Training | At the bottom of the relevant pages |
Incident response
- Prioritize incidents in the Microsoft Defender portal - Microsoft Defender XDR
- Incident response in the Microsoft Defender portal - Microsoft Defender XDR
- Manage incidents in Microsoft Defender - Microsoft Defender XDR
Microsoft Learn | Skill check |
Security incident management in Microsoft Sentinel - Training | Exercise - Set up the Azure environment - Training |
Investigate incidents
- Navigate and investigate incidents in Microsoft Sentinel
- Investigate and respond with Microsoft Defender XDR - Microsoft Defender XDR
- Alerts, incidents, and correlation in Microsoft Defender XDR - Microsoft Defender XDR
- Cybersecurity Incident Correlation in the Microsoft unified security operations platform
- Entity pages in Microsoft Sentinel
- Customize activities on Microsoft Sentinel entity timelines
- User entity page in the Microsoft Defender portal - Microsoft Defender XDR
- Device entity page in Microsoft Defender - Microsoft Defender XDR
- IP address entity page in Microsoft Defender - Microsoft Defender XDR
- Start an investigation by searching large datasets - Microsoft Sentinel
- Search across long time spans in large datasets - Microsoft Sentinel
- Restore archived logs from search - Microsoft Sentinel
Automate response
- Automation in Microsoft Sentinel
- Use a Microsoft Sentinel playbook to stop potentially compromised users
Attack Disruptions
- Attack Disruption Explained (16:40 mins)
- Specific example: SAP applications security and automatic attack disruption (23:08 mins)
- Automatic attack disruption for SAP
KQL for Analyst
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto
- KQL quick reference - Kusto
- SQL to Kusto query translation - Kusto
- Advanced KQL Framework Workbook: improve your KQL proficiency by taking a use-case driven approach
- Azure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example - Microsoft Community Hub
- Azure Sentinel correlation rules: the join KQL operator - Microsoft Community Hub
- Implementing Lookups in Azure Sentinel - Microsoft Community Hub
- Approximate, partial and combined lookups in Azure Sentinel - Microsoft Community Hub
- rod-trent/MustLearnKQL: Code included as part of the MustLearnKQL blog series (github.com)
- https://aka.ms/LADemo
Hunt for threats
- Advanced hunting in Microsoft Defender - Microsoft Defender XDR
- Hunting capabilities in Microsoft Sentinel
- Conduct end-to-end threat hunting with Hunts - Microsoft Sentinel
- Create custom hunting queries in Microsoft Sentinel
- Hunt with bookmarks in Microsoft Sentinel
- Detect threats by using hunting livestream in Microsoft Sentinel
- Jupyter notebooks with Microsoft Sentinel hunting capabilities
- Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel
- Hunt for security threats with Jupyter notebooks - Microsoft Sentinel
- Advanced configurations for Jupyter notebooks and MSTICPy in Microsoft Sentinel
Hunt with KQL
- Kusto Query Language in Microsoft Sentinel
- Best practices for Kusto Query Language queries - Kusto
- KQL quick reference - Kusto
- SQL to Kusto query translation - Kusto
Threat intelligence
Copilot for Security Analyst in the embedded experience
- Investigate Microsoft Sentinel incidents in Copilot for Security
- Security Copilot for SOC analysts - boosting efficiency and expertise in Microsoft Defender XDR (38:37 mins)
- New Defender XDR Copilot for Security Capabilities (23:01 mins)
- Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR
- Describe the embedded experiences of Microsoft Copilot in Microsoft Defender XDR
We sincerely hope you found this content helpful in navigating and prioritizing the vast array of information available on Microsoft Sentinel. We encourage you to suggest new topics and subscribe to this blog for regular updates as we continue to refine and expand our content.