SOLVED

Azure Sentinel Walk-through Lab Training

%3CLINGO-SUB%20id%3D%22lingo-sub-1298978%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Walk-through%20Lab%20Training%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298978%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20just%20begun%20learning%20Azure%20Sentinel%2C%20all%20the%20MS%20Docs%2C%20and%203rd-party%20training%20videos%20utilize%20pre-configured%20materials%20to%20*demonstrate*%20creating%20alerts%20which%20generate%20incidents%2C%20doing%20hunting%20scenarios%2C%20writing%20Playbook%20resolutions%2C%20etc.%26nbsp%3B%20Can%20anyone%20recommend%20a%20training%2Ftutorial%20source%2Fvendor%20for%20which%20sample%20queries%2C%20incidents%20and%20hunting%20scenarios%20are%20built%20from%20scratch%20using%20the%20AAD%20connector%20(something%20many%20MS%20customers%20already%20have)%20rather%20than%20a%20foreign%20connector%20I%20do%20not%20have%2C%20never%20used%20and%20therefore%20cannot%20replicate%3F%26nbsp%3B%20I%20want%20to%20actually%20*do*%20the%20scenarios%20presented%2C%20not%20watch%20more%20dog-n-pony%20shows.%26nbsp%3B%26nbsp%3BIs%20becoming%20versed%20in%20KQL%20a%20*prerequisite*%20for%20this%3F%26nbsp%3B%20I%20have%20no%20prior%20knowledge%20with%20KQL%2C%20and%20virtually%20no%20experience%20navigating%20inside%20the%20Azure%20portal%20itself%20(ergo%20the%20reserved%20terminology%20has%20steepened%20my%20learning%20curve).%26nbsp%3B%20Thank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298994%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Walk-through%20Lab%20Training%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F611375%22%20target%3D%22_blank%22%3E%40TKDJoe%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20general%20advice%20is%20familiarize%20yourself%20with%20the%20interface%20first.%20Familiarize%20yourself%20with%20what%20connectors%20come%20built%20in%20Sentinel%20and%20you%20can%20take%20advantage%20of%20in%20the%20beginning.%20For%20everything%20else%20you%20re%20going%20to%20have%20to%20do%20it%20by%20hand.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20learning%20Kusto%2C%20there's%20a%20good%20course%20on%20Pluralsight.%20There's%20also%20the%20way%20of%20taking%20pre%20build%20analytics%20rule%20and%20trying%20to%20understand%20Kusto%20from%20those%2C%20but%20they%20are%20quite%20complex%20and%20it%20would%20not%20be%20easy.%20However%2C%20Kusto%20is%20as%20simple%20as%20it%20gets.%20You%20will%20find%20it%20really%20easy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20not%20delve%20into%20Notebooks%20just%20yet%20as%20those%20are%20quite%20complex.%3C%2FP%3E%3CP%3EPlaybooks%20%2F%20Logic%20Apps%20are%20quite%20intensive%20to%20troubleshoot%20in%20my%20small%20experience%2C%20but%20can%20help%20you%20automate%20your%20stuff.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1300383%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Walk-through%20Lab%20Training%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1300383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F611375%22%20target%3D%22_blank%22%3E%40TKDJoe%3C%2FA%3E%26nbsp%3BI%20would%20also%20add%20that%20there%20are%20two%20books%20out%20now%20for%20Azure%20Sentinel%3A%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20Azure%20Sentinel%3A%20Planning%20and%20implementing%20Microsofts%20cloud-native%20SIEM%20solution%26nbsp%3B%20%26nbsp%3B(%3CA%20href%3D%22https%3A%2F%2Fwww.amazon.com%2FMicrosoft-Azure-Sentinel-implementing-cloud-native-ebook%2Fdp%2FB085B6C258%2Fref%3Dsr_1_1%3Fdchild%3D1%26amp%3Bkeywords%3Dazure%2Bsentinel%26amp%3Bqid%3D1586646915%26amp%3Bsr%3D8-1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amazon.com%2FMicrosoft-Azure-Sentinel-implementing-cloud-native-ebook%2Fdp%2FB085B6C258%2Fref%3Dsr_1_1%3Fdchild%3D1%26amp%3Bkeywords%3Dazure%2Bsentinel%26amp%3Bqid%3D1586646915%26amp%3Bsr%3D8-1%3C%2FA%3E)%3C%2FP%3E%3CP%3Eand%26nbsp%3B%3C%2FP%3E%3CP%3ELearn%20Azure%20Sentinel%20(%3CA%20href%3D%22https%3A%2F%2Fwww.amazon.com%2FLearn-Azure-Sentinel-artificial-intelligence-ebook%2Fdp%2FB0859C7L1G%2Fref%3Dsr_1_2%3Fdchild%3D1%26amp%3Bkeywords%3Dazure%2Bsentinel%26amp%3Bqid%3D1586646947%26amp%3Bsr%3D8-2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amazon.com%2FLearn-Azure-Sentinel-artificial-intelligence-ebook%2Fdp%2FB0859C7L1G%2Fref%3Dsr_1_2%3Fdchild%3D1%26amp%3Bkeywords%3Dazure%2Bsentinel%26amp%3Bqid%3D1586646947%26amp%3Bsr%3D8-2%3C%2FA%3E)%26nbsp%3B%3C%2FP%3E%3CP%3EFull%20Disclosure%3A%20I%20am%20a%20co-author%20on%20this%20one.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

I've just begun learning Azure Sentinel, all the MS Docs, and 3rd-party training videos utilize pre-configured materials to *demonstrate* creating alerts which generate incidents, doing hunting scenarios, writing Playbook resolutions, etc.  Can anyone recommend a training/tutorial source/vendor for which sample queries, incidents and hunting scenarios are built from scratch using the AAD connector (something many MS customers already have) rather than a foreign connector I do not have, never used and therefore cannot replicate?  I want to actually *do* the scenarios presented, not watch more dog-n-pony shows.  Is becoming versed in KQL a *prerequisite* for this?  I have no prior knowledge with KQL, and virtually no experience navigating inside the Azure portal itself (ergo the reserved terminology has steepened my learning curve).  Thank you

2 Replies
Highlighted
Best Response confirmed by rodtrent (Microsoft)
Solution

@TKDJoe 

 

My general advice is familiarize yourself with the interface first. Familiarize yourself with what connectors come built in Sentinel and you can take advantage of in the beginning. For everything else you re going to have to do it by hand.

 

For learning Kusto, there's a good course on Pluralsight. There's also the way of taking pre build analytics rule and trying to understand Kusto from those, but they are quite complex and it would not be easy. However, Kusto is as simple as it gets. You will find it really easy.

 

Do not delve into Notebooks just yet as those are quite complex.

Playbooks / Logic Apps are quite intensive to troubleshoot in my small experience, but can help you automate your stuff.

Highlighted

@TKDJoe I would also add that there are two books out now for Azure Sentinel: 

Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution   (https://www.amazon.com/Microsoft-Azure-Sentinel-implementing-cloud-native-ebook/dp/B085B6C258/ref=sr...)

and 

Learn Azure Sentinel (https://www.amazon.com/Learn-Azure-Sentinel-artificial-intelligence-ebook/dp/B0859C7L1G/ref=sr_1_2?d...

Full Disclosure: I am a co-author on this one.