Become an Azure Sentinel Ninja: The complete level 400 training

Published 04-12-2020 04:05 PM 317K Views

(Last updated April 20th 2021)


In this blog post, I try to walk you through Azure Sentinel level 400 training and help you become an Azure Sentinel master.


Already did the Ninja Training? check what's new.​​​​​





This training program includes 16 modules. The post includes a presentation for each module, preferably recorded (when still not, we are working on the recording) and supporting information: relevant product documentation, blog posts, and other resources.

The modules listed below are split into five groups following the life cycle of a SOC:


Part 1: Overview

- Module 0: Other learning and support options

- Module 1: Get started with Azure Sentinel

- Module 2: How is Azure Sentinel used?


Part 2: Architecting & Deploying

- Module 3: Workspace and tenant architecture

- Module 4: Data collection

- Module 5: Log Management

- Module 6: Enrichment: TI, Watchlists, and more

- Modele X: Migration


Part 3: Creating Content

- Module 7: The Kusto Query Language (KQL)

- Module 8: Analytics

- Module 9: SOAR

- Module 10: Workbooks, reporting, and visualization

- Module Y: Notebooks

- Module 11: Use cases and solutions


Part 4: Operating

- Module 12: A day in a SOC analyst's life, incident management, and investigation

- Module 13: Hunting

- Module 14: User and Entity Behavior Analytics (UEBA) 

- Module 15: Monitoring Azure Sentinel's health


Part 5: Advanced Topics

- Module 16: Extending and Integrating using Azure Sentinel APIs

- Module 17: Bring your own ML


Part 1: Overview


Module 0: Other learning and support options


The Ninja training is a level 400 training. If you don't want to go as deep or have a specific issue, other resources might be more suitable:


Module 1: Get started with Azure Sentinel


Short on time? Watch the Fall Ignite presentation
Already know? The Spring Ignite session focuses on what's new and an how to use demo
Get deeper? Watch the Webinar: MP4YouTube,Presentation


Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response (read more).


If you want to get an initial overview of Azure Sentinel's technical capabilities, the latest Ignite presentation is a good starting point. You might also find the Quick Start Guide to Azure Sentinel useful (requires registration). A more detailed overview, however somewhat dated, can be found in this webinar: MP4YouTube, Presentation.


Lastly, want to try it yourself? The Azure Sentinel All-In-One Accelerator  (blog, Youtube, MP4, deck) presents an easy way to get you started. To learn how to start yourself, review the onboarding documentation, or watch Insight's Sentinel setup and configuration video.


Learn from users

Thousands of organizations and service providers are using Azure Sentinel. As usual with security products, most do not go public about that. Still, there are some.


Learn from Analysts


Module 2: How is Azure Sentinel used?


Short on time? read this presentation


Many users use Azure Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few additional ways to use Azure Sentinel.


As part of the Microsoft Security stack

Use Sentinel, Azure Defender, Microsoft 365 Defender  in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:


To monitor your multi-cloud workloads

The cloud is (still) new and often not monitored as extensively as on-prem workloads. Read this presentation to learn how Azure Sentinel can help you close the cloud monitoring gap across your clouds.


Side by side with your existing SIEM

Either for a transition period or a longer term, if you are using Azure Sentinel for your cloud workloads, you may be using Azure Sentinel alongside your existing SIEM. You might also be using both with a ticketing system such as Service Now. 


For more information on migrating from another SIEM to Azure Sentinel, watch the migration webinar: MP4YouTubeDeck.


There are three common scenarios for side by side deployment:

You can also send the alerts from Azure Sentinel to your 3rd party SIEM or ticketing system using the Graph Security API, which is simpler but would not enable sending additional data. 



Since it eliminates the setup cost and is location agnostics, Azure Sentinel is a popular choice for providing SIEM as a service. You can find a list of MISA (Microsoft Intelligent Security Association) member MSSPs using Azure Sentinel. Many other MSSPs, especially regional and smaller ones, use Azure Sentinel but are not MISA members.


To start your journey as an MSSP, you should read the Azure Sentinel Technical Playbooks for MSSPs. More information about MSSP support is included in the next Module, cloud architecture, and multi-tenant support.  


Part 2: Architecting & Deploying


While the previous section offers options to start using Azure Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, as well as provides guidelines on how to implement your design:

  • Workspace and tenant architecture
  • Data collection 
  • Log management
  • Threat Intelligence acquisition


Module 3: Workspace and tenant architecture


Short on time? Watch the Nick Dicoala's Ignite presentation (first 11 Minutes)
Get Deeper? Watch the Webinar: MP4YouTubePresentation


An Azure Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.


Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. A special use case is providing service using Azure Sentinel, for example, by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization. 


To learn more about why use multiple workspaces and use them as one Azure Sentinel system, read Extend Azure Sentinel across workspaces and tenants or, if you prefer, the Webinar version: MP4YouTubePresentation.


There are a few specific areas that require your consideration when using multiple workspaces:



The Azure Setninel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.


Module 4: Data collection


Short on time? Watch the Nick Dicoala's Ignite presentation (Mid 11 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4Deck.


The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:

  • Documentation of the connectors which are part of the connectors gallery (63 as of this writing).
  • The Grand List of sources you can connect to Azure Sentinel, whether part of the gallery or not (171 as of this writing).


How you connect each source falls into several categories or source types. Each source type has a distinct setup effort but once deployed,  it serves all sources of that type. The Grand List specifies for each source what its type is. To learn more about those categories, watch the Webinar (includes Module 3): YouTube, MP4Deck.


The types are:


  • Built-in service-to-service connectors allow Azure Sentinel to connect directly to cloud services such as Office 365 or AWS CloudTrail. Some of the service-to-service connectors, such as AAD, utilize Azure diagnostics behind the scenes. 


  • Direct refers to sources that natively know how to send data to Azure Sentinel or Log Analytics. These include Azure services or other Microsoft solutions that support sending telemetry (often referred to as "diagnostics") to Log Analytics and 3rd party sources that use the ingestion API to write to Log analytics or Azure Sentinel directly. The Microsoft direct sources are listed in addition to the Grand List and in the blog post "Collecting logs from Microsoft Services and Applications."


  • The Log Forwarder is a VM that enables collecting Syslog and CEF events from remote systems. If a source is listed in the Grand List as CEF or Syslog, you will use the Log Forwarder to collect from it. Learn more about the Log Forwarder in this webinar (plus a bonus: learn how to use it to filter events):  YouTubeMP4Deck.




  • Integrate Threat Intelligence (TI) sources using the built-in connectors from TAXII servers or Microsoft Graph Security API. Read more on how to in the documentation. TI can also be important as a custom log using a custom connector or as a lookup table. You can read more about how TI is used managed in Azure Azure in the TI modules later. 


If your source is not available, you can create a custom connector. Custom connectors use the ingestion API and therefore are similar to direct sources. Custom connectors are most often implemented using Logic Apps, offering a codeless option, or Azure Functions.


Module 5: Log Management


While how many and which workspaces to use is the first architecture question to ask, there are additional log management architectural decisions:

  • Where and how long to retain data.
  • How to best manage access to data and secure it. 




Logs Security


Dedicated cluster


Module 6: Enrichment: TI, Watchlists, and more


One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists.


Azure Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Azure Sentinel provides Watchlists, as well as alternative solutions.

Threat Intelligence


Short on time? watch the Ignite session (28 Minutes)
Get Deeper? Watch the Webinar: YouTubeMP4Presentation


Threat Intelligence is an important building block of a SIEM.


In Azure Sentinel, you can integrate threat intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the documentation. Refer to the data collection modules for more information about importing Threat Intelligence. 


Once imported, Threat Intelligence is used extensively throughout Azure Sentinel and is weaved into the different modules. The following features focus on using Threat Intelligence:


Watchlists and other lookup mechanisms

To import and manage any type of contextual information, Azure Sentinel provides Watchlists, which enable you to upload data tables in CSV format and use them in your KQL queries. Read more about Watchlists in the documentation
In addition to Watchlists, you can also use the KQL externaldata operator, custom logs, and KQL functions to manage and query context information. Each one of the four methods has its pros and cons, and you can read more about the comparison between those options in the blog post "Implementing Lookups in Azure Sentinel." While each method is different, using the resulting information in your queries is similar enabling easy switching between them.
Read utilize Watchlists to Drive Efficiency During Azure Sentinel Investigations for ideas on using Watchlist outside of analytic rules.

Module X: Migration


Watch the Webinar: YouTubeMP4Presentation


In many (if not most) cases, you already have a SIEM and need to migrate to Azure Sentinel. While it may be a good time to start over and rethink your SIEM implementation, it makes sense to utilize some of the assets you already built in your current implementation. To start watch our webinar describing best practices for converting detection rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules: YouTubeMP4Presentation, blog.


You might also be interested in some of the resources presented in the blog:


Part 3: Creating Content


What is Azure Sentinel's content?


Azure Sentinel security value is a combination of its built-in capabilities such as UEBA, Machine Learning, or out-of-the-box analytics rules and your capability to create custom capabilities and customize built-in ones. Customized SIEM capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, and more.


In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs.  We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance. 


Module 7: KQL


Short on time? Start at the beginning and go as far as time allows.


Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL.  Note that the next section on writing rules explains how to use KQL in the specific context of SIEM rules.


We suggest you follow this Sentinel KQL journey:

  1. Pluralsight KQL course - the basics
  2. The Azure Sentinel KQL Lab: An interactive lab teaching KQL focusing on what you need for Azure Sentinel:
    1. Learning module (SC-200 part 4)
    2. Deck, Lab URL 
    3. Jupyter Notebooks version contributed by jjsantanna, which let you test the queries within the notebook.
    4. Learning webinar: Youtube, MP4;
    5. Reviewing lab solutions webinar: YouTube, MP4
  3. Pluralsight Advanced KQL course
  4. Optimizing Azure Sentinel KQL queries performance: YouTubeMP4Deck.


You might also find the following reference information useful as you learn KQL:


Module 8: Analytics


Writing Scheduled Analytics Rules


Short on time? watch the Webinar: MP4YouTubePresentation


Azure Sentinel enables you to use built-in rule templates, customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there is much more than that to configure in a rule.


To learn the procedure for creating rules, read the documentation. To learn how to write rules, i.e., what should go into a rule, focusing on KQL for rules, watch the webinar: MP4, YouTube, Presentation.


SIEM rules have specific patterns. Learn how to implement rules and write KQL for those patterns:  


To blog post "Blob and File Storage Investigations" provides a step by step example of writing a useful analytic rule.


Using built-in analytics


Short on time? watch the Machine Learning Webinar: MP4YouTubePresentation


Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. Those do not require much from you, but it is worthwhile learning about them:


Module 9: Implementing SOAR


Short on time? watch the Webinar: YouTubeMP4, Deck


In modern SIEMs such as Azure Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it is resolved. This process starts with an incident investigation and continues with an automated response. The blog post "How to use Azure Sentinel for Incident Response, Orchestration and Automation" provides an overview of common use cases for SOAR.


Automation rules are the starting point for Azure Sentinel automation. They provide a lightweight method for central automated handling of incidents, including suppression, false-positive handling, and automatic assignment.


To provide robust workflow based automation capabilities, automation rules use Logic App playbooks:

You can find dozens of useful Playbooks in the Playbooks folder on the Azure Sentinel GitHub, or read "A playbook using a watchlist to Inform a subscription owner about an alert" for a Playbook walkthrough.


While Azure Sentinel is a cloud-native SIEM, its automation capabilities do extend to on-prem environments, either using the Logic Apps on-prem gateway or using Azure Automation as described in "Automatically disable On-prem AD User using a Playbook triggered in Azure"


Module 10: Workbooks, reporting, and visualization


Short on time? Watch the Webinar: YouTubeMP4Deck




As the nerve center of your SOC, you need Azure Sentinel to visualize the information it collects and produces. Use workbooks to visualize data in Azure Sentinel.


Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Azure Sentinel to complement built-in functionality. We also use workbooks to extend the features of Azure Sentinel. Few examples of such apps you can both use and learn from are:

You can find dozens of workbooks in the Workbooks folder in the Azure Sentinel GitHub. Some of those are available in the Azure Sentinel workbooks gallery and some are not. 


Reporting and other visualization options


Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:


Module Y: Notebooks


Short on time? watch the short introduction video 
Get Deeper? Watch the Webinar: YouTubeMP4Presentation


Jupyter notebooks are fully integrated with Azure Sentinel. While usually considered an important tool in the hunter's tool chest and discussed the webinars in the hunting section below, their value is much broader. Notebooks can serve for advanced visualization, an investigation guide, and for sophisticated automation.


To understand them better, watch the Introduction to notebooks video. Get started using the Notebooks webinar (YouTubeMP4, Presentation) or by reading the documentation.


An important part of the integration is implemented by MSTICPY, a Python library developed by our research team for use with Jupyter notebooks that adds Azure Sentinel interfaces and sophisticated security capabilities to your notebooks.


Module 11: Use cases and solutions


Short on time? watch the "Tackling Identity" Webinar: YouTubeMP4Deck


Using connectors, rules, playbooks, and workbooks enables you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A solution is a group of use cases addressing a specific threat domain.


The Webinar "Tackling Identity" (YouTubeMP4Presentation) explains what a use case is, how to approach its design, and presents several use cases that collectively address identity threats.


Another very relevant solution area is protecting remote work. Watch our ignite session on protection remote work, and read more on the specific use cases:


And lastly, focusing on recent attacks, learn how to monitor the software supply chain with Azure Sentinel.



Part 4: Operating


Module 12: Handling incidents


Short on time? watch the "day in a life" Webinar: YouTubeMP4Deck


After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar (YouTubeMP4Presentation) walks you through using Azure Sentinel in the SOC to triage, investigate and respond to incidents.


You might also want to read the documentation article on incident investigation. As part of the investigation, you will also use the entity pages to get more information about entities related to your incident or identified as part of your investigation.


Incident investigation in Azure Sentinel extends beyond the core incident investigation functionality. We can build additional investigation tools using Workbooks and Notebooks (the latter are discussed later, under hunting). You can also build additional investigation tools or modify ours to your specific needs. Examples include: 


Module 13: Hunting


Short on time? watch the Webinar: YouTubeMP4Deck
(Note that the Webinar starts with an update on new features, to learn about hunting, start at slide 12. The Youtube link is already set to start there)


While most of the discussion so far focused on detection and incident management, hunting is another important use case for Azure Sentinel. Hunting is a proactive search for threats rather than a reactive response to alerts.


To understand more about what hunting is and how Azure Sentinel supports it, Watch the hunting intro Webinar (YouTubeMP4Deck). Note that the Webinar starts with an update on new features. To learn about hunting, start at slide 12. The Youtube link is already set to start there.


While the intro webinar focuses on tools, hunting is all about security. Our security research team webinar on hunting (MP4YouTubePresentation) focuses on how to actually hunt. The follow-up AWS Threat Hunting using Sentinel Webinar (MP4, YouTube, Presentation) really drives the point by showing an end-to-end hunting scenario on a high-value target environment. Lastly, you can learn how to do SolarWinds Post-Compromise Hunting with Azure Sentinel and WebShell hunting motivated by the latest recent vulnerabilities in on-premises Microsoft Exchange servers.


Module 14: User and Entity Behavior Analytics (UEBA)


Short on time? watch the Webinar: MP4YouTubeDeck


Azure Sentinel newly introduced User and Entity Behavior Analytics (UEBA) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.


Learn more about UEBA in the UEBA Webinar (MP4YouTubeDeck) and read about using UEBA for investigations in your SOC. 


Module 15: Monitoring Azure Sentinel's health


Short on time? watch the videos on monitoring connector
security operations health or workspace audit.


Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Azure Sentinel's health:



Part 5: Advanced Topics


Module 16: Extending and Integrating using Azure Sentinel APIs


Short on time? watch the video (5 minutes)
Get deeper? Watch the Webinar: MP4YouTubePresentation


As a cloud-native SIEM, Azure Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is also available using PowerShell.


To learn more about Azure Sentinel APIs, watch the short introductory video and blog post. To get the details, watch the deep dive Webinar (MP4YouTubePresentation) and read the blog post  Extending Azure Sentinel: APIs, Integration, and management automation.


Module 17: Bring your own ML


Short on time? watch the video


Azure Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring Your Own ML or BYOML for short. Obviously, this is intended for advanced users. If you are looking for built-in behavioral analytics, use our ML Analytic rules, UEBA module, or write your own behavioral analytics KQL based analytics rules.


To start with bringing your own ML to Azure Sentinel, watch the video, and read the blog post. You might also want to refer to the BYOML documentation

Frequent Contributor

Hi @Ofer_Shezaf, Awesome collection Ofer - thanks very much for the time taken on this.


Just a few typos that might have crept in:
The first link in Module 2 is not a presentation but loops back to this page?

In Module 6 & 11 the Deck link is to the Presentation & the Presentation link is the MP4 recording

In Module 9 the Presentation link loops back to this page? But is this also part of the 3 files that are tucked away at the bottom of the page? ;)


Stay safe



Thanks @David Caddick! I hope I have fixed them all.

Thank you for Sharing this Awesome Azure Sentinel Training with the Community :cool:

Occasional Contributor

Nice work @Ofer_Shezaf ! Do you have any certification or exam as part of this training?


@Ofer_Shezaf - Brilliant work & good to see all in one pack .

Occasional Visitor

Hi Guys i am not able to get the presentations.

Occasional Visitor

Only managed to download presentation for module 4 and 6.

Super Contributor



Awesome - is there some "Baseline/Best Practice/minimum" for Sentinel - in deploying->configuring/settings/datacollectors/rules template setup? 

hope question makes sense :D 


Hey @Ofer_Shezaf 


this is wonderfull, perfect time when in covid wait, thank you ;) 



Occasional Contributor

Thank you @Ofer_Shezaf !


We are glad for these sessions as we also have some extra time!



@Taen keren : Sentinel implementation is very use case specific - differnt users deploy it for different goals. A way to start would be to pick the sources you are most interested in monitoring and protecting. The connector page for those sources has anlaytics rules, workbooks and queries which would be the starting point listed on the "what's next" tab.  




The training blog is extensive but informal. Currently certification is only as part of Az500 but it is at a much higher level.  I agree that it is a good idea and will check how to do something like that.


~ Ofer


@Tmothibi : I was able to and did not here of the issue from other people. Does it work now? If not, can you share with me privately the error/issue details?

Occasional Visitor


Are the video links from 3 & 4 supposed to be the same?  They both (on youtube and onedrive) point to the same videos.


Really enjoying this link so far so thanks for creating it.  


Hi @fad3r : Yes, they are the same. I presented both topics in a single Webinar. I will replace (3) this week as I am doing an updated Webinar dedicated to this topic.

Respected Contributor

@Ofer_Shezaf Az-500 is going to be updated next month and there is only one small item about Sentinel in the new listing of topics, see Could you please work with the exam team to get more Sentinel questions added?


Hi @Ofer_Shezaf , First of all thank you for the training contents and it is really wonderful.


Do we have plans to launch certification as well for Azure Sentinel Level 400 Ninja ? 


@Nitish_Anand : After posting the program I learned that many would have liked to have such a certificate. I am looking into this, but we have no short term plans around it as of yet.

Regular Visitor

@Ofer_ShezafCan you provide me the end to end architecture diagram for SOAR? for instance how the communication will happen between on-prem data center paloalto/checkpoint firewall and sentinel to block malicious IP address, port in paloalto/checkpoint firewall? what are all the components involved in SOAR? what are all prerequisite?


@Vijaymkm : refere to for details on how to connect Logic Apps, our SOAR engine, to on-prem resources.

Senior Member

Thank you for this @Ofer_Shezaf . This is great I was looking for a consolidated documentation that is a deep dive..!



Occasional Contributor

Thanks for the great info; sharing with my Linkedin Network

New Contributor

A great collection of resources, Thank you @Ofer_Shezaf 

Hi Ofer,

Under Module 13: Hunting, "Threat Hunting - AWS using Sentinel, webinar on April 22nd, register here."
Should've already happened? but i can't find the youtube video. If it never took place maybe handy to remove it from the list?

- Jurgen

@Jurgen790 : Thanks for the reminder. Updated.

Regular Visitor

@Ofer_Shezaf  can you share the complete list of connector for security products i.e. Firewall (Checkpoint, paloalto, Cisco, etc), IPS, Anti-malware, URL filtering, etc..I am unable to find . i am wondering how we can perform SOAR functions using logic apps without connectors


super useful content really liked the design sessions

Occasional Contributor

Thanks for sharing ! 

Occasional Visitor

@Ofer_Shezaf Great Work, thank you very much. 

Respected Contributor

@Ofer_Shezaf while you are working on a certificate program, it could also be helpful if you contacted the MVP program to discuss how people working with Sentinel can be nominated for that award. I assume that its in the Threat Protection area


@Dean Gross : the certificate is not an award and does not need nominations, it would be based on passing an exam. As an update, the certificate will be based, at least initially, on the newly released Sentinel learning path and not the Ninja training. 

Super Contributor

One modification that may be useful is if you could make the listing of the sections at the top of the page hyperlinks to the sections on the page to make navigation easier.


@Gary Bushey : I tried. Anchor times seem to not work well with the CSS the community site uses :-(. Direct links are even more important for the FAQ. Well maybe time to move to the Microsoft docs site.

Frequent Visitor

How can I get a format certificate of completion for this course? Also I dont see any certification path for Sentinel!


@dmarshetty : this is an unofficial course and it has no certification. We are planning to have a SOC operations certification that will include Sentinel in a couple of months.

Frequent Visitor

@Ofer_Shezaf thank you. Is there any other course where we can get a certificate? I have done the Azure Sentinel's official learning path you mentioned but even that doesn't seem to have any certificate.

Occasional Visitor

There is no link for Module 2. I think I got to the right place. The first video follows with "Azure Sentinel webinar: Cloud & On-Premises architecture - YouTube(


@RandyDover : I don't have a Webinar for Module 2. The link you shared was the Webinar for Module 3, but was since updated, and the current presentations for Module 3 are more up to date.

New Contributor

Any chance of you lifting this over to a GitHub repo @Ofer_Shezaf would be great to keep it continually updated etc.




Hi @davidclarke : First, I am updating this blog on an ongoing basis. We consider moving it to the official Azure Sentinel documentation so it is not a workd of mouth kind of resource. Microsoft docs are GitHub so they allow anyone to suggest updates just like a regular GitHub repo. 

Frequent Contributor

Just sayin'... pretty awesome post right here!  I will be using this as I prepare to eventually write both AZ-500 and SC-200.

Senior Member

Thanks a lot for the magnificent topic  .. I believe this will help me pass the SC-200 Exam.

Valued Contributor

I would like thank you for this article.

I suggest to add courses and contents into the Microsoft Learn's lessons website as it is a fun way to learning and earn badge too.


@Reza_Ameri : in module zero, you can find the official Sentienl learning path as well as the SC-200 certification which includes a learning path. They share similarties with (and sometimes actually are based on) the Ninja training. The latter offers a certification based on the conent  (well, you will have to know MDE and AzD as well to certify).

Valued Contributor

Thank you @Ofer_Shezaf for the clarification.


Just a heads up that the link Playbooks folder under Module 9: SOAR currently links to the Workbooks folder in Github, not Playbooks:


Thanks @Louise_Wiljander.  Corrected.

Respected Contributor

@Ofer_Shezaf the Security compass has been replaced the Best Practices, see Microsoft Security Best Practices | Microsoft Docs. You may want to update the description above to help decrease confusion.

Occasional Visitor


Do we have an estimation of the time requested to complete this training ?

Thanks in advance

Occasional Visitor

@Ofer_Shezaf - I have the same question as @FrancoisV500 - How much time should we plan for going through this training?

Version history
Last update:
‎Apr 26 2021 10:10 AM
Updated by: