Become an Azure Sentinel Ninja: The complete level 400 training

(Last updated January 18th 2021)

In this blog post, I try to walk you through Azure Sentinel level 400 training and help you become an Azure Sentinel master.

Already did the Ninja Trainig? check what's new.​​​​​

Curriculum 

This training program includes 16 modules. The post includes a presentation for each module, preferably recorded (when still not, we are working on the recording) and supporting information: relevant product documentation, blog posts, and other resources.

The modules listed below are split into five groups following the life cycle of a SOC:

Part 1: Overview

- Module 0: Other learning and support options

- Module 1: Get started with Azure Sentinel

- Module 2: How is Azure Sentinel used?

Part 2: Architecting & Deploying

- Module 3: Workspace and tenant architecture

- Module 4: Data collection

- Module 5: Log Management

- Module 6: Enrichment: TI, Watchlists, and more

Part 3: Creating Content

- Module 7: The Kusto Query Language (KQL)

- Module 8: Analytics

- Module 9: SOAR

- Module 10: Workbooks, reporting, and visualization

- Module 11: Use cases and solutions

Part 4: Operating

- Module 12: A day in a SOC analyst's life, incident management, and investigation

- Module 13: Hunting

- Module 14: User and Entity Behavior Analytics (UEBA) 

- Module 15: Monitoring Azure Sentinel's health

Part 5: Advanced Topics

- Module 16: Extending and Integrating using Azure Sentinel APIs

- Module 17: Bring your own ML

Part 1: Overview

Module 0: Other learning and support options

The Ninja training is a level 400 training. If you don't want to go as deep or have a specific issue, other resources might be more suitable:

• Already did the Ninja Training? Check what's new.​​​​​
• While extensive, the Ninja training has to follow a script and cannot expand on every topic. The FAQ companion to the Ninja Training tries to closed this gap.
• Azure Sentinel's official learning path is best if you want step-by-step training to use Azure Sentinel's features.
• Premier customer? You might want the on-site (or remote these days) Azure Sentinel Fundamentals 4 days workshop.
• Already a Ninja? Just keep track of what's new, or join our Private Previews program for an even earlier glimpse. Didn't find what you are looking for? Submit feature requests using Uservoice
• Have a specific issue? Ask (or answer other) on the Azure Sentinel Tech Community. As a last resort, send an e-mail to AzureSentinel@microsoft.com.

Module 1: Get started with Azure Sentinel

Short on time? Watch the latest Ignite presentation (26 Minutes)
Get deeper? Watch the Webinar: MP4, YouTube, Presentation

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response (read more).

If you want to get an initial overview of Azure Sentinel's technical capabilities, the latest Ignite presentation is a good starting point. You might also find the Quick Start Guide to Azure Sentinel useful (requires registration). A more detailed overview, however somewhat dated, can be found in this webinar: MP4, YouTube, Presentation.

Lastly, want to try it yourself? The Azure Sentinel All-In-One Accelerator presents an easy way to get you started. To learn how to start yourself, review the onboarding documentation, or watch Insight's Sentinel setup and configuration video.

Learn from users

Thousands of organizations and service providers are using Azure Sentinel. As usual with security products, most do not go public about that. Still, there are some.

• You can find public customer use cases here,
• Insight released a use case about an NBA team adapting Sentinel.
• Stuart Gregg, Security Operations Manager @ ASOS, posted a much more detailed blog post from Azure Sentinel's experience, focusing on hunting.

Learn from Analysts

• Azure Sentinel is a Leader placement in Forrester Wave.

Module 2: How is Azure Sentinel used?

Short on time? read this presentation

Many users use Azure Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few additional ways to use Azure Sentinel.

As part of the Microsoft Security stack

Use Sentinel, Azure Defender (ASC), Microsoft 365 Defender (MTP) in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:

• Read The Azure Security compass to understand Microsoft's blueprint for your security operations.
• Read and watch how such a setup helps detect and respond to a WebShell attack: Blog Post, Video demo.

To monitor your multi-cloud workloads

The cloud is (still) new and often not monitored as extensively as on-prem workloads. Read this presentation to learn how Azure Sentinel can help you close the cloud monitoring gap across your clouds.

Side by side with your existing SIEM

Either for a transition period or a longer-term, if you are using Azure Sentinel for your cloud workloads, you may be using Azure Sentinel along-side your existing SIEM. You might also be using both with a ticketing system such as Service Now. 

There are three common scenarios for side by side deployment:

• A best practice, if you have a ticketing system in your SOC, is to send alerts, or incidents, from both SIEM systems to a ticketing system such as Service Now, for example, using Azure Sentinel Incident Bi-directional sync with ServiceNow or by sending alerts enriched with supporting events from Azure Sentinel to 3rd party SIEMs.
• At least initially, many users send alerts from Azure sentinel to your on-prem SIEM. Read on how to do it in Sending alerts enriched with supporting events from Azure Sentinel to 3rd party SIEMs.
• Over time, as Azure Sentinel covers more workloads, it is typical to reverse that and send alerts from your on-prem SIEM to Azure Sentinel. To do that with Spunk, read "Send data and notable events from Splunk to Azure Sentinel using the Azure Sentinel Splunk App." For ArcSight, use CEF Forwarding.

You can also send the alerts from Azure Sentinel to your 3rd party SIEM or ticketing system using the Graph Security API, which is simpler but would not enable sending additional data. 

For MSSPs

Since it eliminates the setup cost and is location agnostics, Azure Sentinel is a popular choice for providing SIEM as a service. You can find a list of MISA (Microsoft Intelligent Security Association) member MSSPs using Azure Sentinel. Many other MSSPs, especially regional and smaller ones, use Azure Sentinel but are not MISA members.

More information about MSSP support is included in the next Module, cloud architecture, and multi-tenant support.  

Part 2: Architecting & Deploying

While the previous section offers options to start using Azure Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, as well as provides guidelines on how to implement your design:

• Workspace and tenant architecture
• Data collection 
• Log management
• Threat Intelligence acquisition

Module 3: Workspace and tenant architecture

Short on time? Watch the Nick Dicoala's Ignite presentation (first 11 Minutes)
Get Deeper? Watch the Webinar: MP4, YouTube, Presentation

An Azure Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.

Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. A special use case is providing service using Azure Sentinel, for example, by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization. 

To learn more about why use multiple workspaces and use them as one Azure Sentinel system, read Extend Azure Sentinel across workspaces and tenants or, if you prefer, the Webinar version: MP4, YouTube, Presentation.

There are a few specific areas that require your consideration when using multiple workspaces:

• An important driver for using multiple workspaces is data residency. Read more about Azure Sentinel data residency.
• To deploy Azure Sentinel and manage content efficiently across multiple workspaces; you would like to manage Sentinel as code using CI/CD technology. This is, in general, a recommended best practice for Azure sentinel:
  •  Read deploying and Managing Azure Sentinel - Ninja style for a comprehensive CI/CD methodology.
  • Or use a simpler solution to deploy and Managing Azure Sentinel as Code and extend this capability across workspaces and tenants using Azure Lighthouse. 
• When managing multiple workspaces as an MSSP, you may want to protect the MSSP’s Intellectual Property in Azure Sentinel.

Module 4: Data collection

Short on time? Watch the Nick Dicoala's Ignite presentation (Mid 11 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Deck.

The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:

• Documentation of the connectors which are part of the connectors gallery (63 as of this writing).
• The Grand List of sources you can connect to Azure Sentinel, whether part of the gallery or not (171 as of this writing).

How you connect each source falls into several categories or source types. Each source type has a distinct setup effort but once deployed. It serves all sources of that type. The Grand List specifies for each source what its type is. To learn more about those categories, watch the Webinar (includes Module 3): YouTube, MP4, Deck.

The types are:

• Built-in service-to-service connectors allow Azure Sentinel to connect directly to cloud services such as Office 365 or AWS CloudTrail. Some of the service-to-service connectors, such as AAD, utilize Azure diagnostics behind the scenes. 

• Direct refers to sources that natively know how to send data to Azure Sentinel or Log Analytics. These include Azure services or other Microsoft solutions that support sending telemetry (often referred to as "diagnostics") to Log Analytics and 3rd party sources that use the ingestion API to write to Log analytics or Azure Sentinel directly. The Microsoft direct sources are listed in addition to the Grand List and in the blog post "Collecting logs from Microsoft Services and Applications."

• The Log Forwarder is a VM that enables collecting Syslog and CEF events from remote systems. If a source is listed in the Grand List as CEF or Syslog, you will use the Log Forwarder to collect from it. Learn more about the Log Forwarder in this webinar (plus a bonus: learn how to use it to filter events):  YouTube, MP4, Deck.

• The Log Analytics agent collects information from Windows or Linux hosts. In addition to OS events such as Windows Events, the agent can collect events stored in files. Learn more about the Log Analytics agent in this blog: collecting telemetry from on-prem and IaaS server using the Log Analytics agent. The Azure Monitor Agent is a new generation agent currently in preview that offers advantages such as Windows events filtering.

• ELK's Logstash and Beats can be used as an alternative to both the agent and Log Forwarder using the Azure Sentinel Logstash output plug-in.

• Integrate Threat Intelligence (TI) sources using the built-in connectors from TAXII servers or Microsoft Graph Security API. Read more on how to in the documentation. TI can also be important as a custom log using a custom connector or as a lookup table. You can read more about how TI is used managed in Azure Azure in the TI modules later. 

If your source is not available, you can create a custom connector. Custom connectors use the ingestion API and therefore are similar to direct sources. Custom connectors are most often implemented using Logic Apps, offering a codeless option, or Azure Functions.

Module 5: Log Management

While how many and which workspaces to use is the first architecture question to ask, there are additional log management architectural decisions:

• Where and how long to retain data.
• How to best manage access to data and secure it. 

Retention

• If you want to retain data for more than two years or reduce the retention cost, you can consider using Azure Data Explorer for long-term retention of Azure Sentinel logs.
• If you prefer another long-term retention solution, export from Azure Sentinel / Log Analytics to Azure Storage and Event Hub or move Logs to Long-Term Storage using Logic Apps. The latter advantage is that it can export historical data.
• Lastly, you can set fine-grained retention periods using table-level retention Settings (and documentation)

Logs Security

• Use resource RBAC or table Level RBAC to enable multiple teams to use a single workspace.
• If needed, delete PII data from your workspaces.
• Learn how to audit workspace queries and Azure Sentinel use, using alerts workbooks and queries.
• Use private links to ensure logs never leave your private network.

Dedicated cluster

• More than 1TB/d? You can have your own Log Analytics dedicated cluster. 

Module 6: Enrichment: TI, Watchlists, and more

One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists.

Azure Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Azure Sentinel provides Watchlists, as well as alternative solutions.

Threat Intelligence

Short on time? watch the Ignite session (28 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Presentation

Threat Intelligence is an important building block of a SIEM.

In Azure Sentinel, you can integrate threat intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the documentation. Refer to the data collection modules for more information about importing Threat Intelligence. 

Once imported, Threat Intelligence is used extensively throughout Azure Sentinel and is weaved into the different modules. The following features focus on using Threat Intelligence:

• View and manage the imported threat intelligence in Logs in the new Threat Intelligence area of Azure Sentinel.
• Use the built-in TI Analytics rule templates to generate security alerts and incidents using your imported threat intelligence.
• Visualize key information about your threat intelligence in Azure Sentinel with the Threat Intelligence workbook.

Part 3: Creating Content

What is Azure Sentinel's content?

Azure Sentinel security value is a combination of its built-in capabilities such as UEBA, Machine Learning, or out-of-the-box analytics rules and your capability to create custom capabilities and customize built-in ones. Customized SIEM capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, and more.

In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs.  We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance. 

Module 7: KQL

Short on time? Start at the beginning and go as far as time allows.

Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL.  Note that the next section on writing rules explains how to use KQL in the specific context of SIEM rules.

We suggest you follow this Sentinel KQL journey:

1. Pluralsight KQL course - the basics
2. The Azure Sentinel KQL Lab: An interactive lab teaching KQL focusing on what you need for Azure Sentinel:
   1. Deck, Lab URL 
   2. a Jupyter Notebooks version contributed by jjsantanna, which let you test the queries within the notebook.
   3. Learning webinar: Youtube, MP4;
   4. Reviewing lab solutions webinar: YouTube, MP4
3. Pluralsight Advanced KQL course
4. Optimizing Azure Sentinel KQL queries performance: YouTube, MP4, Deck.

You might also find the following reference information useful as you learn KQL:

• The KQL Cheat Sheet
• Query optimization best practices

Module 8: Analytics

Short on time? watch the Webinar: MP4, YouTube, Presentation

Writing Scheduled Analytics Rules

Azure Sentinel enables you to use built-in rule templates, customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there is much more than that to configure in a rule.

To learn the procedure for creating rules, read the documentation. To learn how to write rules, i.e., what should go into a rule, focusing on KQL for rules, watch the webinar: MP4, YouTube, Presentation.

SIEM rules have specific patterns. Learn how to implement rules and write KQL for those patterns:  

• Correlation rules: using lists and the "in" operator or using the "join" operator
• Aggregation: see using lists and the "in" operator above, or a more advanced pattern handling sliding windows
• Lookups: Regular, or Approximate, partial & combined lookups
• Delayed events: are a fact of life in any SIEM and are hard to tackle. Azure Sentinel can help you mitigate delays in your rules.
• Using KQL functions as building blocks: Enriching Windows Security Events with Parameterized Function.

You might also find the following reference information useful as you learn to write rules:

• The schema used by Azure Sentinel for keys Microsoft and 3rd party sources and most other Azure sources.

Using built-in analytics

Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. Those do not require much from you, but it is worthwhile learning about them:

• Use the built-in scheduled rule templates. You can tune those templates by modifying the templates the same way to edit any scheduled rule. Make sure to deploy the templates for the data connectors you connect listed in the data connector "next steps" tab.
• Advanced multi-stage attack detections ("fusion") are enabled by default. Read more on how to manage and use them in the documentation.

Module 9: Implementing SOAR

Short on time? watch the Webinar: YouTube, MP4, Deck

In modern SIEMs such as Azure Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it is resolved. This process starts with an incident investigation and continues with an automated response.

Logic App playbooks are the main automation tool in Azure Sentinel. To learn more about them:

• Watch the Logic Apps Sentinel playbooks Webinar: YouTube, MP4, Deck
• Read about Logic Apps, which is the core technology driving Azure Sentinel playbooks.
• The Azure Sentinel Logic App connector is a link between Logic Apps and Azure Sentinel.

You can find dozens of useful Playbooks in the Playbooks folder on the Azure Sentinel GitHub.  

Learn about the following playbooks to help you better grasp the concept and how to implement playbooks:

• A playbook using a watchlist to Inform a subscription owner on an alert

In many organizations, SOAR is a shared responsibility between Azure Sentinel and dedicated incident management or automation tool such as Service Now. Read more about how to integrate such tools here:

• Sending alerts enriched with supporting events from Azure Sentinel to 3rd party ticketing systems or...

Module 10: Workbooks, reporting, and visualization

Short on time? Watch the Webinar: YouTube, MP4, Deck

Workbooks

As the nerve center of your SOC, you need Azure Sentel to visualize the information it collects and produces. Use workbooks to visualize data in Azure Sentinel. To learn more about Workbooks in Azure Sentinel, watch the Webinar: YouTube, MP4, Deck, and read the documentation. To learn how to create workbooks, watch Billy York's Workbooks training (and accompanying text). Note that Billy's training is not Azure Sentinel specific. 

Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Azure Sentinel to complement built-in functionality. We also use workbooks to extend the features of Azure Sentinel. Few examples of such apps are, you can both use and learn from are:

• The Investigation Insights Workbook provides an alternative approach for investigating incidents.
• Graph Visualization of External Teams Collaborations enables hunting for risky Teams use.
• The users' travel map workbook allows investigating geo-location alerts.
• The insecure protocols workbook (Implementation Guide, recent enhancements, and overview video) let you identify the use of insecure protocols in your network.
• Lastly, learn how to integrate information from any source using API calls in a workbook.

You can find dozens of workbooks, some available in the Azure Sentinel's workbooks gallery and some not, in the Workbooks folder in the Azure Sentinel GitHub. 

Reporting and other visualization options

Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:

• Power BI, which natively integrates with Log Analytics and Sentinel.
• Getting Sentinel data into Excel.
• Jupyter notebooks covered later in the hunting module are also a great visualization tool.

Module 11: Use cases and solutions

Short on time? watch the "Tackling Identity" Webinar: YouTube, MP4, Deck

Using connectors, rules, playbooks, and workbooks enables you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A solution is a group of use cases addressing a specific threat domain.

The Webinar "Tackling Identity" (YouTube, MP4, Presentation) explains what a use case is, how to approach its design, and presents several use cases that collectively address identity threats.

Another very relevant solution area is protection remote work. Watch our ignite session on protection remote work, and read more on the specific use cases:

• Microsoft Teams hunting use cases and Graph Visualization of External Microsoft Teams Collaborations
• Monitoring Zoom with Azure Sentinel: custom connectors, analytic rules, and hunting queries.
• Monitoring Windows Virtual Desktop with Azure Sentinel: use Windows Security Events, Azure AD Sign-in logs, Microsoft 365 defender for endpoints, and WVD diagnostics logs to detect and hunt for WVD threats.
• Monitor Microsoft endpoint Manager / Intune, using queries and workbooks.

Part 4: Operating

Module 12: Handling incidents

Short on time? watch the "day in a life" Webinar: YouTube, MP4, Deck

After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar (YouTube, MP4, Presentation) walks you through using Azure Sentinel in the SOC to triage, investigate and respond to incidents.

You might also want to read the documentation article on incident investigation. As part of the investigation, you will also use the entity pages to get more information about entities related to your incident or identified as part of your investigation.

Incident investigation in Azure Sentinel extends beyond the core incident investigation functionality. We can build additional investigation tools using Workbooks and Notebooks (the latter are discussed later, under hunting). You can also build additional investigation tools or modify ours to your specific needs. Examples include: 

• The Investigation Insights Workbook provides an alternative approach for investigating incidents.
• Notebooks enhance the investigation experience. Read 'Why Use Jupyter for Security Investigations?" and learn how to investigate with Azure Sentinel & Jupyter Notebooks: part 1, part 2, and part 3.

Module 13: Hunting

Short on time? watch the Webinar: YouTube, MP4, Deck
(Note that the Webinar starts with an update on new features, to learn about hunting, start at slide 12. The Youtube link is already set to start there)

While most of the discussion so far focused on detection and incident management, hunting is another important use case for Azure Sentinel. Hunting is a proactive search for threats rather than a reactive response to alerts.

To understand more about what hunting is and how Azure Sentinel supports it, Watch the hunting intro Webinar (YouTube, MP4, Deck). Note that the Webinar starts with an update on new features. To learn about hunting, start at slide 12. The Youtube link is already set to start there.

While the intro webinar focuses on tools, hunting is all about security. Our security research team webinar on hunting (MP4, YouTube, Presentation) focuses on how to actually hunt. The follow-up AWS Threat Hunting using Sentinel Webinar (MP4, YouTube, Presentation) really drives the point by showing an end to end hunting scenario on a high-value target environment. Lastly, you can learn how to do SolarWinds Post-Compromise Hunting with Azure Sentinel.

Using Notebooks

Jupyter notebooks are an important tool in the hunter's tool chest and are discussed in the hunting webinars above. To understand them better, watch the Introduction to notebooks video. While Jupyter notebooks are a popular open-source system, Azure Sentinel integrates them. Read on how to Notebooks in Azure Sentinel in the documentation. Our research team also develops MSTICPY, a Python library for using with Jupyter notebooks that adds Azure Sentinel interfaces and sophisticated security capabilities to your notebooks.

Notebooks are also great for investigating: go to the handling incidents module to learn more about Jupyter notebooks and investigation.

Module 14: User and Entity Behavior Analytics (UEBA)

Short on time? watch the Webinar: MP4, YouTube, Deck

Azure Sentinel newly introduced User and Entity Behavior Analytics (UEBA) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.

Learn more about UEBA in the UEBA Webinar (MP4, YouTube, Deck) and read about using UEBA for investigations in your SOC. 

Module 15: Monitoring Azure Sentinel's health

Short on time? watch the videos on monitoring connector and security operations health

Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Azure Sentinel's health:

• Monitor the health of your security operations (video)
• Monitor the health of your data connectors (video) and get notifications on anomalies
• Monitor the health of your agents using the agents' health solution (Windows only) and the Heartbeat table (Linux and Windows)
• Monitor the health of your Log Analytics workspace, including query execution and ingest health

Part 5: Advanced Topics

Module 16: Extending and Integrating using Azure Sentinel APIs

Short on time? watch the video (5 minutes)
Get deeper? Watch the Webinar: MP4, YouTube, Presentation

As a cloud-native SIEM, Azure Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is also available using PowerShell.

To learn more about Azure Sentinel APIs, watch the short introductory video and blog post. To get the details, watch the deep dive Webinar (MP4, YouTube, Presentation) and read the blog post  Extending Azure Sentinel: APIs, Integration, and management automation.

Module 17: Bring your own ML

Short on time? watch the video

Azure Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring Your Own ML or BYOML for short. Obviously, this is intended for advanced users. If you are looking for built-in behavioral analytics, use our ML Analytic rules, UEBA module, or write your own behavioral analytics KQL based analytics rules.

To start with bringing your own ML to Azure Sentinel, watch the video, and read the blog post. You might also want to refer to the BYOML documentation. 

• https://docs.microsoft.com/en-us/azure/sentinel/bring-your-own-ml
• Azure Sentinel Build-Your-Own ML Model video