Become a Microsoft Sentinel Ninja: The complete level 400 training
Published Apr 12 2020 04:05 PM 880K Views

(Last updated December 2023)


In this blog post, we try to walk you through Microsoft Sentinel level 400 training and help you become a Microsoft Sentinel master.


Already did the Ninja Training? check what's new.​​​​​






This training program includes 21 modules. The post includes a presentation for each module, preferably recorded (when still not, we are working on the recording) and supporting information: relevant product documentation, blog posts, and other resources.

The modules listed below are split into five groups following the life cycle of a SOC:


Part 1: Overview

- Module 0: Other learning and support options

- Module 1: Get started with Microsoft Sentinel

- Module 2: How is Microsoft Sentinel used?


Part 2: Architecting & Deploying

- Module 3: Workspace and tenant architecture

- Module 4: Data collection

- Module 5: Log Management

- Module 6: Enrichment: TI, Watchlists, and more

- Module W: Log transformation

- Module X: Migration

- Module Z: ASIM and Normalization


Part 3: Creating Content

- Module 7: The Kusto Query Language (KQL)

- Module 8: Analytics

- Module 9: SOAR

- Module 10: Workbooks, reporting, and visualization

- Module Y: Notebooks

- Module 11: Use cases and solutions


Part 4: Operating

- Module 12: A day in a SOC analyst's life, incident management, and investigation

- Module 13: Hunting

- Module 14: User and Entity Behavior Analytics (UEBA) 

- Module 15: Monitoring Microsoft Sentinel's health


Part 5: Advanced Topics

- Module 16: Extending and Integrating using Microsoft Sentinel APIs

- Module 17: Bring your own ML


Part 1: Overview


Module 0: Other learning and support options


The Ninja training is a level 400 training. If you don't want to go as deep or have a specific issue, other resources might be more suitable:


Think you're a true Sentinel Ninja? Take the knowledge check and find out. If you pass the 
knowledge check with a score of over 80% you can request a certificate to prove your ninja

1. Take the knowledge check here. 
2. If you score 80% or more in the knowledge check, request your participation certificate 
here. If you achieved less than 80%, please review the questions that you got it wrong, study
more and take the assessment again.


Module 1: Get started with Microsoft Sentinel


Haven't looked at Sentinel recently? This webinar summarizes what's new in Sentinel 
between Jan and Aug 2023.


Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response (read more).


If you want to get an initial overview of Microsoft Sentinel's technical capabilities, the latest Ignite presentation is a good starting point. You might also find the Quick Start Guide to Microsoft Sentinel useful (requires registration). A more detailed overview, however somewhat dated, can be found in this webinar: YouTube


Lastly, want to try it yourself? The Microsoft Sentinel All-In-One Accelerator  (blog, Youtube) presents an easy way to get you started. To learn how to start yourself, review the onboarding documentation, or watch Insight's Sentinel setup and configuration video.


Learn from users

Thousands of organizations and service providers are using Microsoft Sentinel. As usual with security products, most do not go public about that. Still, there are some.


Learn from Analysts


Module 2: How is Microsoft Sentinel used?


Many users use Microsoft Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few additional ways to use Microsoft Sentinel.


As part of the Microsoft Security stack

Use Sentinel and Microsoft 365 Defender in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:


To monitor your multi-cloud workloads

The cloud is (still) new and often not monitored as extensively as on-prem workloads. Read this presentation to learn how Microsoft Sentinel can help you close the cloud monitoring gap across your clouds.


Side by side with your existing SIEM

Either for a transition period or a longer term, if you are using Microsoft Sentinel for your cloud workloads, you may be using Microsoft Sentinel alongside your existing SIEM. You might also be using both with a ticketing system such as Service Now. 


For more information on migrating from another SIEM to Microsoft Sentinel, watch the migration webinar: MP4YouTubeDeck.


There are three common scenarios for side by side deployment:

You can also send the alerts from Microsoft Sentinel to your 3rd party SIEM or ticketing system using the Graph Security API , which is simpler but would not enable sending additional data. 



Since it eliminates the setup cost and is location agnostics, Microsoft Sentinel is a popular choice for providing SIEM as a service. You can find a list of MISA (Microsoft Intelligent Security Association) member MSSPs using Microsoft Sentinel. Many other MSSPs, especially regional and smaller ones, use Microsoft Sentinel but are not MISA members.


To start your journey as an MSSP, you should read the Microsoft Sentinel Technical Playbooks for MSSPs. More information about MSSP support is included in the next module, cloud architecture and multi-tenant support.  


Part 2: Architecting & Deploying


While the previous section offers options to start using Microsoft Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, as well as provides guidelines on how to implement your design:

  • Workspace and tenant architecture
  • Data collection 
  • Log management
  • Threat Intelligence acquisition


Module 3: Workspace and tenant architecture


Short on time? Watch the Nic DiCola's Ignite presentation (first 11 Minutes)

Get Deeper? Watch the Webinar: MP4YouTubePresentation


A Microsoft Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.


Multiple workspaces are often necessary and can act together as a single Microsoft Sentinel system. A special use case is providing service using Microsoft Sentinel, for example, by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization. 


To learn more about why use multiple workspaces and use them as one Microsoft Sentinel system, read Extend Microsoft Sentinel across workspaces and tenants or, if you prefer, the Webinar version: MP4YouTubePresentation.


There are a few specific areas that require your consideration when using multiple workspaces:



The Microsoft Sentinel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.


Module 4: Data collection


Watch the Codeless Connector Platform: Create your data connector in Microsoft Sentinel 
webinar. Youtube, Deck.

Watch the Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search,
and Restoration webinar. YouTube, Deck.

Short on time? Watch the Nic DiCola's Ignite presentation (Mid 11 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4Deck.


The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:

  • Documentation of the connectors which are part of the connectors gallery.
  • Microsoft Sentinel Solutions gallery to deliver instant out-of-the-box solutions and content using Content Hub.
  • Data Collection Scenarios: Learn more about a variety of solutions for log collection methods such as Logstash/CEF/WEF and scenarios we often encounter such as permissions restriction to tables, log filtering, collecting logs from AWS/GCP, O365 raw logs and more in this webinar YouTube, MP4, Deck.


How you connect each source falls into several categories or source types. Each source type has a distinct setup effort but once deployed,  it serves all sources of that type. The Grand List specifies for each source what its type is. To learn more about those categories, watch the Webinar (includes Module 3): YouTube, MP4Deck.


The types are:


  • Built-in service-to-service connectors allow Microsoft Sentinel to connect directly to cloud services such as Office 365 or AWS CloudTrail. Some of the service-to-service connectors, such as AAD, utilize Azure diagnostics behind the scenes. 


  • Direct refers to sources that natively know how to send data to Microsoft Sentinel or Log Analytics. These include Azure services or other Microsoft solutions that support sending telemetry (often referred to as "diagnostics") to Log Analytics and 3rd party sources that use the ingestion API to write to Log analytics or Microsoft Sentinel directly. The Microsoft direct sources are listed in addition to the Grand List and in the blog post "Collecting logs from Microsoft Services and Applications."


  • The Codeless Connector Platform (CCP) provides customers with the ability to create custom connectors, connect them, and ingest data to Microsoft Sentinel. Connectors created via the CCP can be deployed via API, an ARM template, or as a solution in the Microsoft Sentinel content hub. Connectors created using CCP are fully SaaS, without any requirements for service installations, and include health monitoring and full support from Microsoft Sentinel.  Create a codeless connector for Microsoft Sentinel | Microsoft Docs provides guidelines and more information about this new way to connect data sources to Sentinel. To learn more about Codeless Connector platform watch the webinar: Youtube, Deck.


  • The Log Forwarder is a VM that enables collecting Syslog and CEF events from remote systems. If a source is listed in the Grand List as CEF or Syslog, you will use the Log Forwarder to collect from it. Learn more about the Log Forwarder in this webinar (plus a bonus: learn how to use it to filter events):  YouTubeMP4Deck.


  • The Log Analytics agent collects information from Windows or Linux hosts. In addition to OS events such as Windows Events, the agent can collect events stored in files. Learn more about the Log Analytics agent in this blog: collecting telemetry from on-prem and IaaS server using the Log Analytics agent. The Azure Monitor Agent is a new generation agent currently in preview that offers advantages such as Windows events filtering. The Log Analytics agent is being deprecated on 31 August 2024, so if you have not yet deployed the Log Analytics agent you should consider whether it is possible for you to start using the Azure Monitor Agent (see next bullet point).


  • The Azure Monitor Agent (AMA) is the replacement for the Log Analytics Agent. The Azure Monitor agent introduces several new capabilities not available in the Log Analytics agent such as filtering, scoping, and multi-homing. At the time of writing this update, AMA isn't yet at parity with the Log Analytics agent, you can compare the functionality between the two agents here. Consider whether the features you need for your Microsoft Sentinel deployment are supported in AMA, or whether to continue to use the Log Analytics agent for now and migrate at a later date. Watch the Everything You Ever Wanted to Know About Using the New Azure Monitor Agent (AMA) webinar here.



  • Integrate Threat Intelligence (TI) sources using the built-in connectors from TAXII servers or Microsoft Graph Security API. Read more on how to in the documentation. TI can also be important as a custom log using a custom connector or as a lookup table. You can read more about how TI is used managed in Microsoft Sentinel in the TI modules later. 


  • The Codeless Connector Platform (CCP) provides partners, advanced users, and developers with the ability to create custom connectors, connect them, and ingest data to Microsoft Sentinel. Connectors created via the CCP can be deployed via API, an ARM template, or as a solution in the Microsoft Sentinel content hub.


  • Custom connectors use the ingestion API and therefore are similar to direct sources. Custom connectors are most often implemented using Logic Apps, offering a codeless option, or Azure Functions.


Module 5: Log Management


While how many and which workspaces to use is the first architecture question to ask, there are additional log management architectural decisions:

  • Where and how long to retain data.
  • How to best manage access to data and secure it. 


Ingest, Archive, Search, and Restore Data within Microsoft Sentinel

Watch the webinar: Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search, and Restoration, here.


This suite of features contains:

  • Basic ingestion tier: new pricing tier for Azure Log Analytics that allows for logs to be ingested at a lower cost. This data is only retained in the workspace for 8 days total.
  • Archive tier: Azure Log Analytics has expanded its retention capability from 2 years to 7 years. With that, this new tier for data will allow for the data to be retained up to 7 years in a low-cost archived state.
  • Search jobs: search tasks that run limited KQL in order to find and return all relevant logs to what is searched. These jobs search data across the analytics tier, basic tier. and archived data.
  • Data restoration: new feature that allows users to pick a data table and a time range in order to restore data to the workspace via restore table.
  • Learn more about this new feature here.



Alternative retention options outside of the Microsoft Sentinel platform


Log Security


Dedicated cluster


Module 6: Enrichment: TI, Watchlists, and more


One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists.


Microsoft Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Microsoft Sentinel provides Watchlists, as well as alternative solutions.


Threat Intelligence


Watch the Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat 
Intelligence webinar. YouTube. Deck.

Short on time? watch the
Ignite session (28 Minutes)
Get Deeper? Watch the Webinar: YouTubeMP4Presentation


Threat Intelligence is an important building block of a SIEM. Watch the Explore the Power of Threat Intelligence in Microsoft Sentinel webinar here


In Microsoft Sentinel, you can integrate threat intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the documentation. Refer to the data collection modules for more information about importing Threat Intelligence. 


Once imported, Threat Intelligence is used extensively throughout Microsoft Sentinel and is weaved into the different modules. The following features focus on using Threat Intelligence:


Watchlists and other lookup mechanisms


Watch the Use Watchlists to Manage Alerts, Reduce Alert Fatigue and improve
SOC efficiency
webinar. YouTube, Deck.


To import and manage any type of contextual information, Microsoft Sentinel provides Watchlists, which enable you to upload data tables in CSV format and use them in your KQL queries. Read more about Watchlists in the documentation or watch the use Watchlists to Manage Alerts, Reduce Alert Fatigue and improve SOC efficiency webinar. YouTube, Deck.
In addition to Watchlists, you can also use the KQL externaldata operator, custom logs, and KQL functions to manage and query context information. Each one of the four methods has its pros and cons, and you can read more about the comparison between those options in the blog post "Implementing Lookups in Microsoft Sentinel." While each method is different, using the resulting information in your queries is similar enabling easy switching between them.
Read utilize Watchlists to Drive Efficiency During Microsoft Sentinel Investigations for ideas on using Watchlist outside of analytic rules.

Module W: Log transformation


Watch the Transforming Data at Ingestion Time in Microsoft Sentinel webinar. YouTube, Deck.

Get Deeper? Watch the Webinar: Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search, and Restoration. Youtube, Deck

Microsoft Sentinel supports two new features for data ingestion and transformation. These features, provided by Log Analytics, act on your data even before it's stored in your workspace.


The first of these features is the custom logs API. It allows you to send custom-format logs from any data source to your Log Analytics workspace, and store those logs either in certain specific standard tables, or in custom-formatted tables that you create. The actual ingestion of these logs can be done by direct API calls. You use Log Analytics data collection rules (DCRs) to define and configure these workflows.


The second feature is ingestion-time data transformation for standard logs. It uses DCRs to filter out irrelevant data, to enrich or tag your data, or to hide sensitive or personal information. Data transformation can be configured at ingestion time for the following types of built-in data connectors:

  • AMA-based data connectors (based on the new Azure Monitor Agent)
  • MMA-based data connectors (based on the legacy Log Analytics Agent)
  • Data connectors that use Diagnostic settings
  • Service-to-service data connectors

For more information, see:


Module X: Migration


Watch the Webinar: YouTubeMP4Presentation


In many (if not most) cases, you already have a SIEM and need to migrate to Microsoft Sentinel. While it may be a good time to start over and rethink your SIEM implementation, it makes sense to utilize some of the assets you already built in your current implementation. To start watch our webinar describing best practices for converting detection rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules: YouTubeMP4Presentation, blog.


You might also be interested in some of the resources presented in the blog:


Module Z: ASIM and Normalization


Watch the Extend and Manage ASIM: Developing, Testing and Deploying Parsers 
webinar: YouTube, Deck.
Watch the Advanced SIEM Information Model (ASIM): Now built into Microsoft Sentinel webinar:
YouTube, Deck.


Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.


The Advanced SIEM Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. Watch the Advanced SIEM Information Model (ASIM): Now built into Microsoft Sentinel webinar:  YouTube, Deck.


The current implementation is based on query time normalization using KQL functions. And includes the following:

  • Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values. 
    • Watch the Understanding Normalization in Microsoft Sentinel webinar: Youtube, Presentation.
    • Watch the Deep Dive into Microsoft Sentinel Normalizing Parsers and Normalized Content webinar: YouTube, MP3, Presentation.
  • Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions.  Watch the Extend and Manage ASIM: Developing, Testing and Deploying Parsers webinar: YouTube, Deck.
  • Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.


Using ASIM provides the following benefits:

  • Cross source detection: Normalized analytic rules work across sources, on-prem and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure.
  • Allows source agnostic content: the coverage of built-in as well as custom content using ASIM automatically expands to any source that supports ASIM, even if the source was added after the content was created. For example, process event analytics support any source that a customer may use to bring in the data, including Defender for Endpoint, Windows Events, and Sysmon. We are ready to add Sysmon for Linux and WEF once released!
  • Support for your custom sources in built-in analytics
  • Ease of use: once an analyst learns ASIM, writing queries is much simpler as the field names are always the same.


To learn more about ASIM:


To Deploy ASIM:

  • Deploy the parsers from the folders starting with “ASIM*” in the parsers folder on GitHub.
  • Activate analytic rules that use ASIM. Search for “normal” in the template gallery to find some of them. To get the full list use this GitHub search.


To Use ASIM:


Part 3: Creating Content


What is Microsoft Sentinel's content?


Microsoft Sentinel security value is a combination of its built-in capabilities such as UEBA, Machine Learning, or out-of-the-box analytics rules and your capability to create custom capabilities and customize built-in ones. Customized SIEM capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, and more.


In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs.  We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance. 


Module 7: KQL


Short on time? Start at the beginning and go as far as time allows.


Most Microsoft Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL.  Note that the next section on writing rules explains how to use KQL in the specific context of SIEM rules.


We suggest you follow this Sentinel KQL journey:

  1. Pluralsight KQL course - the basics
  2. The Microsoft Sentinel KQL Lab: An interactive lab teaching KQL focusing on what you need for Microsoft Sentinel:
    1. Learning module (SC-200 part 4)
    2. Deck, Lab URL 
    3. Jupyter Notebooks version contributed by jjsantanna, which let you test the queries within the notebook.
    4. Learning webinar: Youtube, MP4;
    5. Reviewing lab solutions webinar: YouTube , MP4
    6. Microsoft Sentinel Workbooks 101 (with sample Workbook) blog.
  3. Pluralsight Advanced KQL course
  4. Optimizing Azure Sentinel KQL queries performance: YouTubeMP4Deck.
  5. Using ASIM in your KQL queries: YouTube, Deck
  6. KQL Framework for Microsoft Sentinel -Empowering You to Become KQL-Savvy: YouTube, Deck.


You might also find the following reference information useful as you learn KQL:


Module 8: Analytics


Writing Scheduled Analytics Rules


Short on time? watch the Webinar: MP4YouTubePresentation


Microsoft Sentinel enables you to use built-in rule templates, customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there is much more than that to configure in a rule.


To learn the procedure for creating rules, read the documentation. To learn how to write rules, i.e., what should go into a rule, focusing on KQL for rules, watch the webinar: MP4, YouTube, Presentation.


SIEM rules have specific patterns. Learn how to implement rules and write KQL for those patterns:  


To blog post "Blob and File Storage Investigations" provides a step by step example of writing a useful analytic rule.


Using built-in analytics


Short on time? watch the Machine Learning Webinar: MP4YouTubePresentation


Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. Those do not require much from you, but it is worthwhile learning about them:


Module 9: Implementing SOAR


Watch the What’s New in Microsoft Sentinel Automation webinar: 
YouTubeMP4, Deck


In modern SIEMs such as Microsoft Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it is resolved. This process starts with an incident investigation and continues with an automated response. The blog post "How to use Microsoft Sentinel for Incident Response, Orchestration and Automation" provides an overview of common use cases for SOAR.


Automation rules are the starting point for Microsoft Sentinel automation. They provide a lightweight method for central automated handling of incidents, including suppression, false-positive handling, and automatic assignment.


To provide robust workflow based automation capabilities, automation rules use Logic App playbooks:

You can find dozens of useful Playbooks in the Playbooks folder on the Microsoft Sentinel GitHub, or read "A playbook using a watchlist to Inform a subscription owner about an alert" for a Playbook walkthrough.


While Microsoft Sentinel is a cloud-native SIEM, its automation capabilities do extend to on-prem environments, either using the Logic Apps on-prem gateway or using Azure Automation as described in "Automatically disable On-prem AD User using a Playbook triggered in Azure"


Module 10: Workbooks, reporting, and visualization


Short on time? Watch the Webinar: YouTubeMP4Deck




As the nerve center of your SOC, you need Microsoft Sentinel to visualize the information it collects and produces. Use workbooks to visualize data in Microsoft Sentinel.


Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Microsoft Sentinel to complement built-in functionality. We also use workbooks to extend the features of Microsoft Sentinel. Few examples of such apps you can both use and learn from are:

You can find dozens of workbooks in the Workbooks folder in the Microsoft Sentinel GitHub. Some of those are available in the Microsoft Sentinel workbooks gallery and some are not. 


Reporting and other visualization options


Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:


Module Y: Notebooks

Short on time? Watch the short introduction video

Go deeper? Watch the Azure Notebooks Fundamentals Webinar: YouTubeMP4Presentation

Want to become a Notebooks Ninja? Watch the Webinars:
1. Getting Started - YouTubeMP4Presentation
2. MSTICPy Fundamentals - YouTube
3. MSTICPy Intermediate - YouTube


Jupyter notebooks are fully integrated with Azure Sentinel. While usually considered an important tool in the hunter's tool chest and discussed the webinars in the hunting section below, their value is much broader. Notebooks can serve for advanced visualization, an investigation guide, and for sophisticated automation. 


To understand them better, watch the Introduction to notebooks video. Get started using the Notebooks webinar (YouTubeMP4, Presentation) or by reading the documentation. The Microsoft Sentinel Notebooks Ninja series is an ongoing training series to upskill you in Notebooks.


An important part of the integration is implemented by MSTICPY, a Python library developed by our research team for use with Jupyter notebooks that adds Azure Sentinel interfaces and sophisticated security capabilities to your notebooks.


Module 11: Use cases and solutions


Watch the Create Your Own Microsoft Sentinel Solutions webinar - YouTube, Deck.
Want more? Watch the Microsoft Sentinel Content Management webinar - YouTube, Deck.


Using connectors, rules, playbooks, and workbooks enables you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A solution is a group of use cases addressing a specific threat domain.


The Webinar "Tackling Identity" (YouTubeMP4Presentation) explains what a use case is, how to approach its design, and presents several use cases that collectively address identity threats.


Another very relevant solution area is protecting remote work. Watch our ignite session on protection remote work, and read more on the specific use cases:


And lastly, focusing on recent attacks, learn how to monitor the software supply chain with Microsoft Sentinel.


Microsoft Sentinel solutions provide in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. Read more about them here, and watch the webinar about how to create your own hereFor more about Sentinel content management in general, watch the Microsoft Sentinel Content Management webinar - YouTube, Deck.



Part 4: Operating


Module 12: Handling incidents


January 2023 update: 
Watch the Announcing the New Microsoft Sentinel Incident Investigation Experience! webinar: Youtube

Go deeper?
Decrease Your SOC'S MTTR (Mean Time to Respond) by Integrating Microsoft
Sentinel with Microsoft Teams webinar here: YouTube, Deck.

Short on time? Watch the "day in a life" Webinar: YouTubeMP4Deck


After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar (YouTubeMP4Presentation) walks you through using Microsoft Sentinel in the SOC to triage, investigate and respond to incidents.


Integrating with Microsoft Teams directly from Microsoft Sentinel enables your teams to collaborate seamlessly across the organization, and with external stakeholders. Watch the Decrease Your SOC’s MTTR (Mean Time to Respond) by Integrating Microsoft Sentinel with Microsoft Teams webinar here.


You might also want to read the documentation article on incident investigation. As part of the investigation, you will also use the entity pages to get more information about entities related to your incident or identified as part of your investigation.


Incident investigation in Microsoft Sentinel extends beyond the core incident investigation functionality. We can build additional investigation tools using Workbooks and Notebooks (the latter are discussed later, under hunting). You can also build additional investigation tools or modify ours to your specific needs. Examples include: 


Module 13: Hunting


Short on time? watch the webinar Workbooks Deep Dive: YouTubeMP4Deck
(Note that the Webinar starts with an update on new features, to learn about hunting, start at slide 12. The YouTube 
link is already set to start there)

Go deeper? Watch the webinar What’s New in Microsoft’s Jupyter and Python Security Toolset: Youtube


While most of the discussion so far focused on detection and incident management, hunting is another important use case for Microsoft Sentinel. Hunting is a proactive search for threats rather than a reactive response to alerts. 


The hunting dashboard was recently refreshed in July 2021 and shows all the queries written by Microsoft's team of security analysts and any extra queries that you have created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These templates are grouped by their various tactics - the icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration. Read more about it here.


To understand more about what hunting is and how Microsoft Sentinel supports it, Watch the hunting intro Webinar (YouTubeMP4Deck). Note that the Webinar starts with an update on new features. To learn about hunting, start at slide 12. The YouTube link is already set to start there.


While the intro webinar focuses on tools, hunting is all about security. Our security research team webinar on hunting (MP4YouTubePresentation) focuses on how to actually hunt. The follow-up AWS Threat Hunting using Sentinel Webinar (MP4, YouTube, Presentation) really drives the point by showing an end-to-end hunting scenario on a high-value target environment. Lastly, you can learn how to do SolarWinds Post-Compromise Hunting with Microsoft Sentinel and WebShell hunting motivated by the latest recent vulnerabilities in on-premises Microsoft Exchange servers.


Module 14: User and Entity Behavior Analytics (UEBA)


Watch Present and Future of Users Entity Behavioral Analytics in Sentinel 
webinar: YouTube, Deck.

Short on time? Watch the Webinar:
YouTubeDeck , MP4


Microsoft Sentinel newly introduced User and Entity Behavior Analytics (UEBA) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.


Learn more about UEBA in the UEBA Webinar (YouTubeDeck, MP4) and read about using UEBA for investigations in your SOC. 


Module 15: Monitoring Microsoft Sentinel's health


Short on time? watch the videos on monitoring connectors, 
security operations health or workspace audit.


Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Microsoft Sentinel's health:



Part 5: Advanced Topics


Module 16: Extending and Integrating using Microsoft Sentinel APIs


Short on time? watch the video (5 minutes)
Get deeper? Watch the Webinar: MP4YouTubePresentation


As a cloud-native SIEM, Microsoft Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is also available using PowerShell.


To learn more about Microsoft Sentinel APIs, watch the short introductory video and blog post. To get the details, watch the deep dive Webinar (MP4YouTubePresentation) and read the blog post  Extending Microsoft Sentinel: APIs, Integration, and management automation.


Module 17: Bring your own ML


Short on time? watch the video


Microsoft Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring Your Own ML or BYOML for short. Obviously, this is intended for advanced users. If you are looking for built-in behavioral analytics, use our ML Analytic rules, UEBA module, or write your own behavioral analytics KQL based analytics rules.


To start with bringing your own ML to Microsoft Sentinel, watch the video, and read the blog post. You might also want to refer to the BYOML documentation


** Azure Sentinel became Microsoft Sentinel in Nov 2021. Although effort has been made to update the name throughout the ninja training, some webinars and presentations may still refer to Azure Sentinel rather than Microsoft Sentinel as they were created and recorded before the name change. **

Version history
Last update:
‎Dec 11 2023 07:14 AM
Updated by: