Forum Discussion
TKDJoe
Apr 10, 2020Copper Contributor
Azure Sentinel Walk-through Lab Training
I've just begun learning Azure Sentinel, all the MS Docs, and 3rd-party training videos utilize pre-configured materials to *demonstrate* creating alerts which generate incidents, doing hunting scenarios, writing Playbook resolutions, etc. Can anyone recommend a training/tutorial source/vendor for which sample queries, incidents and hunting scenarios are built from scratch using the AAD connector (something many MS customers already have) rather than a foreign connector I do not have, never used and therefore cannot replicate? I want to actually *do* the scenarios presented, not watch more dog-n-pony shows. Is becoming versed in KQL a *prerequisite* for this? I have no prior knowledge with KQL, and virtually no experience navigating inside the Azure portal itself (ergo the reserved terminology has steepened my learning curve). Thank you
My general advice is familiarize yourself with the interface first. Familiarize yourself with what connectors come built in Sentinel and you can take advantage of in the beginning. For everything else you re going to have to do it by hand.
For learning Kusto, there's a good course on Pluralsight. There's also the way of taking pre build analytics rule and trying to understand Kusto from those, but they are quite complex and it would not be easy. However, Kusto is as simple as it gets. You will find it really easy.
Do not delve into Notebooks just yet as those are quite complex.
Playbooks / Logic Apps are quite intensive to troubleshoot in my small experience, but can help you automate your stuff.
- GaryBusheyBronze Contributor
TKDJoe I would also add that there are two books out now for Azure Sentinel:
Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution (https://www.amazon.com/Microsoft-Azure-Sentinel-implementing-cloud-native-ebook/dp/B085B6C258/ref=sr_1_1?dchild=1&keywords=azure+sentinel&qid=1586646915&sr=8-1)
and
Learn Azure Sentinel (https://www.amazon.com/Learn-Azure-Sentinel-artificial-intelligence-ebook/dp/B0859C7L1G/ref=sr_1_2?dchild=1&keywords=azure+sentinel&qid=1586646947&sr=8-2)
Full Disclosure: I am a co-author on this one.
- GabrielNeculaCopper Contributor
My general advice is familiarize yourself with the interface first. Familiarize yourself with what connectors come built in Sentinel and you can take advantage of in the beginning. For everything else you re going to have to do it by hand.
For learning Kusto, there's a good course on Pluralsight. There's also the way of taking pre build analytics rule and trying to understand Kusto from those, but they are quite complex and it would not be easy. However, Kusto is as simple as it gets. You will find it really easy.
Do not delve into Notebooks just yet as those are quite complex.
Playbooks / Logic Apps are quite intensive to troubleshoot in my small experience, but can help you automate your stuff.