(Last updated February 2023)
** Azure Sentinel became Microsoft Sentinel in Nov 2021. Although effort has been made to update the name throughout the ninja training, some webinars and presentations may still refer to Azure Sentinel rather than Microsoft Sentinel as they were created and recorded before the name change. **
In this blog post, we try to walk you through Microsoft Sentinel level 400 training and help you become a Microsoft Sentinel master.
Already did the Ninja Training? check what's new.
This training program includes 21 modules. The post includes a presentation for each module, preferably recorded (when still not, we are working on the recording) and supporting information: relevant product documentation, blog posts, and other resources.
The modules listed below are split into five groups following the life cycle of a SOC:
- Module 0: Other learning and support options
- Module 1: Get started with Microsoft Sentinel
- Module 2: How is Microsoft Sentinel used?
- Module 3: Workspace and tenant architecture
- Module 4: Data collection
- Module 5: Log Management
- Module 6: Enrichment: TI, Watchlists, and more
- Module W: Log transformation
- Module X: Migration
- Module Z: ASIM and Normalization
- Module 7: The Kusto Query Language (KQL)
- Module 8: Analytics
- Module 9: SOAR
- Module 10: Workbooks, reporting, and visualization
- Module Y: Notebooks
- Module 11: Use cases and solutions
- Module 12: A day in a SOC analyst's life, incident management, and investigation
- Module 13: Hunting
- Module 14: User and Entity Behavior Analytics (UEBA)
- Module 15: Monitoring Microsoft Sentinel's health
- Module 16: Extending and Integrating using Microsoft Sentinel APIs
- Module 17: Bring your own ML
The Ninja training is a level 400 training. If you don't want to go as deep or have a specific issue, other resources might be more suitable:
Think you're a true Sentinel Ninja? Take the knowledge check and find out. If you pass the
knowledge check with a score of over 80% you can request a certificate to prove your ninja
1. Take the knowledge check here.
2. If you score 80% or more in the knowledge check, request your participation certificate
here. If you achieved less than 80%, please review the questions that you got it wrong, study
more and take the assessment again.
Short on time? Watch the What’s Next in Microsoft Sentinel March 2022 update webinar:
Haven't looked at Sentinel recently? This webinar summarizes what's new in Sentinel
between May and Dec 2022. (Deck)
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response (read more).
If you want to get an initial overview of Microsoft Sentinel's technical capabilities, the latest Ignite presentation is a good starting point. You might also find the Quick Start Guide to Microsoft Sentinel useful (requires registration). A more detailed overview, however somewhat dated, can be found in this webinar: MP4, YouTube, Presentation.
Lastly, want to try it yourself? The Microsoft Sentinel All-In-One Accelerator (blog, Youtube, MP4, deck) presents an easy way to get you started. To learn how to start yourself, review the onboarding documentation, or watch Insight's Sentinel setup and configuration video.
Thousands of organizations and service providers are using Microsoft Sentinel. As usual with security products, most do not go public about that. Still, there are some.
Many users use Microsoft Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few additional ways to use Microsoft Sentinel.
Use Sentinel and Microsoft 365 Defender in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:
The cloud is (still) new and often not monitored as extensively as on-prem workloads. Read this presentation to learn how Microsoft Sentinel can help you close the cloud monitoring gap across your clouds.
Either for a transition period or a longer term, if you are using Microsoft Sentinel for your cloud workloads, you may be using Microsoft Sentinel alongside your existing SIEM. You might also be using both with a ticketing system such as Service Now.
There are three common scenarios for side by side deployment:
You can also send the alerts from Microsoft Sentinel to your 3rd party SIEM or ticketing system using the Graph Security API , which is simpler but would not enable sending additional data.
Since it eliminates the setup cost and is location agnostics, Microsoft Sentinel is a popular choice for providing SIEM as a service. You can find a list of MISA (Microsoft Intelligent Security Association) member MSSPs using Microsoft Sentinel. Many other MSSPs, especially regional and smaller ones, use Microsoft Sentinel but are not MISA members.
To start your journey as an MSSP, you should read the Microsoft Sentinel Technical Playbooks for MSSPs. More information about MSSP support is included in the next module, cloud architecture and multi-tenant support.
While the previous section offers options to start using Microsoft Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, as well as provides guidelines on how to implement your design:
Short on time? Watch the Nic DiCola's Ignite presentation (first 11 Minutes)
Get Deeper? Watch the Webinar: MP4, YouTube, Presentation
A Microsoft Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.
Multiple workspaces are often necessary and can act together as a single Microsoft Sentinel system. A special use case is providing service using Microsoft Sentinel, for example, by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization.
To learn more about why use multiple workspaces and use them as one Microsoft Sentinel system, read Extend Microsoft Sentinel across workspaces and tenants or, if you prefer, the Webinar version: MP4, YouTube, Presentation.
There are a few specific areas that require your consideration when using multiple workspaces:
The Microsoft Sentinel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.
Watch the Codeless Connector Platform: Create your data connector in Microsoft Sentinel
webinar. Youtube, Deck.
Watch the Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search,
and Restoration webinar. YouTube, Deck.
Short on time? Watch the Nic DiCola's Ignite presentation (Mid 11 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Deck.
The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:
How you connect each source falls into several categories or source types. Each source type has a distinct setup effort but once deployed, it serves all sources of that type. The Grand List specifies for each source what its type is. To learn more about those categories, watch the Webinar (includes Module 3): YouTube, MP4, Deck.
The types are:
While how many and which workspaces to use is the first architecture question to ask, there are additional log management architectural decisions:
Watch the webinar: Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search, and Restoration, here.
This suite of features contains:
One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists.
Microsoft Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Microsoft Sentinel provides Watchlists, as well as alternative solutions.
Watch the Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat
Intelligence webinar. YouTube. Deck.
Short on time? watch the Ignite session (28 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Presentation
Threat Intelligence is an important building block of a SIEM. Watch the Explore the Power of Threat Intelligence in Microsoft Sentinel webinar here
In Microsoft Sentinel, you can integrate threat intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the documentation. Refer to the data collection modules for more information about importing Threat Intelligence.
Once imported, Threat Intelligence is used extensively throughout Microsoft Sentinel and is weaved into the different modules. The following features focus on using Threat Intelligence:
Watch the Use Watchlists to Manage Alerts, Reduce Alert Fatigue and improve
SOC efficiency webinar. YouTube, Deck.
Watch the Transforming Data at Ingestion Time in Microsoft Sentinel webinar. YouTube, Deck.
Get Deeper? Watch the Webinar: Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search, and Restoration. Youtube, Deck
Microsoft Sentinel supports two new features for data ingestion and transformation. These features, provided by Log Analytics, act on your data even before it's stored in your workspace.
The first of these features is the custom logs API. It allows you to send custom-format logs from any data source to your Log Analytics workspace, and store those logs either in certain specific standard tables, or in custom-formatted tables that you create. The actual ingestion of these logs can be done by direct API calls. You use Log Analytics data collection rules (DCRs) to define and configure these workflows.
The second feature is ingestion-time data transformation for standard logs. It uses DCRs to filter out irrelevant data, to enrich or tag your data, or to hide sensitive or personal information. Data transformation can be configured at ingestion time for the following types of built-in data connectors:
For more information, see:
Watch the Webinar: YouTube, MP4, Presentation
In many (if not most) cases, you already have a SIEM and need to migrate to Microsoft Sentinel. While it may be a good time to start over and rethink your SIEM implementation, it makes sense to utilize some of the assets you already built in your current implementation. To start watch our webinar describing best practices for converting detection rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules: YouTube, MP4, Presentation, blog.
You might also be interested in some of the resources presented in the blog:
Watch the Extend and Manage ASIM: Developing, Testing and Deploying Parsers
webinar: YouTube, Deck.
Watch the Advanced SIEM Information Model (ASIM): Now built into Microsoft Sentinel webinar:
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Advanced SIEM Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. Watch the Advanced SIEM Information Model (ASIM): Now built into Microsoft Sentinel webinar: YouTube, Deck.
The current implementation is based on query time normalization using KQL functions. And includes the following:
Using ASIM provides the following benefits:
What is Microsoft Sentinel's content?
Microsoft Sentinel security value is a combination of its built-in capabilities such as UEBA, Machine Learning, or out-of-the-box analytics rules and your capability to create custom capabilities and customize built-in ones. Customized SIEM capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, and more.
In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs. We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance.
Short on time? Start at the beginning and go as far as time allows.
Most Microsoft Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL. Note that the next section on writing rules explains how to use KQL in the specific context of SIEM rules.
We suggest you follow this Sentinel KQL journey:
You might also find the following reference information useful as you learn KQL:
Short on time? watch the Webinar: MP4, YouTube, Presentation
Microsoft Sentinel enables you to use built-in rule templates, customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there is much more than that to configure in a rule.
To learn the procedure for creating rules, read the documentation. To learn how to write rules, i.e., what should go into a rule, focusing on KQL for rules, watch the webinar: MP4, YouTube, Presentation.
SIEM rules have specific patterns. Learn how to implement rules and write KQL for those patterns:
To blog post "Blob and File Storage Investigations" provides a step by step example of writing a useful analytic rule.
Short on time? watch the Machine Learning Webinar: MP4, YouTube, Presentation
Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. Those do not require much from you, but it is worthwhile learning about them:
In modern SIEMs such as Microsoft Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it is resolved. This process starts with an incident investigation and continues with an automated response. The blog post "How to use Microsoft Sentinel for Incident Response, Orchestration and Automation" provides an overview of common use cases for SOAR.
Automation rules are the starting point for Microsoft Sentinel automation. They provide a lightweight method for central automated handling of incidents, including suppression, false-positive handling, and automatic assignment.
To provide robust workflow based automation capabilities, automation rules use Logic App playbooks:
You can find dozens of useful Playbooks in the Playbooks folder on the Microsoft Sentinel GitHub, or read "A playbook using a watchlist to Inform a subscription owner about an alert" for a Playbook walkthrough.
While Microsoft Sentinel is a cloud-native SIEM, its automation capabilities do extend to on-prem environments, either using the Logic Apps on-prem gateway or using Azure Automation as described in "Automatically disable On-prem AD User using a Playbook triggered in Azure"
As the nerve center of your SOC, you need Microsoft Sentinel to visualize the information it collects and produces. Use workbooks to visualize data in Microsoft Sentinel.
Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Microsoft Sentinel to complement built-in functionality. We also use workbooks to extend the features of Microsoft Sentinel. Few examples of such apps you can both use and learn from are:
You can find dozens of workbooks in the Workbooks folder in the Microsoft Sentinel GitHub. Some of those are available in the Microsoft Sentinel workbooks gallery and some are not.
Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:
Short on time? Watch the short introduction video
Go deeper? Watch the Azure Notebooks Fundamentals Webinar: YouTube, MP4, Presentation
Want to become a Notebooks Ninja? Watch the Webinars:
1. Getting Started - YouTube, MP4, Presentation
2. MSTICPy Fundamentals - YouTube
3. MSTICPy Intermediate - YouTube
Jupyter notebooks are fully integrated with Azure Sentinel. While usually considered an important tool in the hunter's tool chest and discussed the webinars in the hunting section below, their value is much broader. Notebooks can serve for advanced visualization, an investigation guide, and for sophisticated automation.
To understand them better, watch the Introduction to notebooks video. Get started using the Notebooks webinar (YouTube, MP4, Presentation) or by reading the documentation. The Microsoft Sentinel Notebooks Ninja series is an ongoing training series to upskill you in Notebooks.
An important part of the integration is implemented by MSTICPY, a Python library developed by our research team for use with Jupyter notebooks that adds Azure Sentinel interfaces and sophisticated security capabilities to your notebooks.
Watch the Create Your Own Microsoft Sentinel Solutions webinar - YouTube, Deck.
Want more? Watch the Microsoft Sentinel Content Management webinar - YouTube, Deck.
Using connectors, rules, playbooks, and workbooks enables you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A solution is a group of use cases addressing a specific threat domain.
Another very relevant solution area is protecting remote work. Watch our ignite session on protection remote work, and read more on the specific use cases:
And lastly, focusing on recent attacks, learn how to monitor the software supply chain with Microsoft Sentinel.
Microsoft Sentinel solutions provide in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. Read more about them here, and watch the webinar about how to create your own here. For more about Sentinel content management in general, watch the Microsoft Sentinel Content Management webinar - YouTube, Deck.
January 2023 update:
Watch the Announcing the New Microsoft Sentinel Incident Investigation Experience! webinar: Youtube
Go deeper? Decrease Your SOC'S MTTR (Mean Time to Respond) by Integrating Microsoft
Sentinel with Microsoft Teams webinar here: YouTube, Deck.
Short on time? Watch the "day in a life" Webinar: YouTube, MP4, Deck
After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar (YouTube, MP4, Presentation) walks you through using Microsoft Sentinel in the SOC to triage, investigate and respond to incidents.
Integrating with Microsoft Teams directly from Microsoft Sentinel enables your teams to collaborate seamlessly across the organization, and with external stakeholders. Watch the Decrease Your SOC’s MTTR (Mean Time to Respond) by Integrating Microsoft Sentinel with Microsoft Teams webinar here.
You might also want to read the documentation article on incident investigation. As part of the investigation, you will also use the entity pages to get more information about entities related to your incident or identified as part of your investigation.
Incident investigation in Microsoft Sentinel extends beyond the core incident investigation functionality. We can build additional investigation tools using Workbooks and Notebooks (the latter are discussed later, under hunting). You can also build additional investigation tools or modify ours to your specific needs. Examples include:
Short on time? watch the webinar Workbooks Deep Dive: YouTube, MP4, Deck
(Note that the Webinar starts with an update on new features, to learn about hunting, start at slide 12. The YouTube
link is already set to start there)
Go deeper? Watch the webinar What’s New in Microsoft’s Jupyter and Python Security Toolset: Youtube
While most of the discussion so far focused on detection and incident management, hunting is another important use case for Microsoft Sentinel. Hunting is a proactive search for threats rather than a reactive response to alerts.
The hunting dashboard was recently refreshed in July 2021 and shows all the queries written by Microsoft's team of security analysts and any extra queries that you have created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These templates are grouped by their various tactics - the icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration. Read more about it here.
To understand more about what hunting is and how Microsoft Sentinel supports it, Watch the hunting intro Webinar (YouTube, MP4, Deck). Note that the Webinar starts with an update on new features. To learn about hunting, start at slide 12. The YouTube link is already set to start there.
While the intro webinar focuses on tools, hunting is all about security. Our security research team webinar on hunting (MP4, YouTube, Presentation) focuses on how to actually hunt. The follow-up AWS Threat Hunting using Sentinel Webinar (MP4, YouTube, Presentation) really drives the point by showing an end-to-end hunting scenario on a high-value target environment. Lastly, you can learn how to do SolarWinds Post-Compromise Hunting with Microsoft Sentinel and WebShell hunting motivated by the latest recent vulnerabilities in on-premises Microsoft Exchange servers.
Watch Present and Future of Users Entity Behavioral Analytics in Sentinel
webinar: YouTube, Deck.
Short on time? Watch the Webinar: YouTube, Deck , MP4
Microsoft Sentinel newly introduced User and Entity Behavior Analytics (UEBA) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.
Short on time? watch the videos on monitoring connectors,
security operations health or workspace audit.
Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Microsoft Sentinel's health:
Short on time? watch the video (5 minutes)
Get deeper? Watch the Webinar: MP4, YouTube, Presentation
As a cloud-native SIEM, Microsoft Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is also available using PowerShell.
To learn more about Microsoft Sentinel APIs, watch the short introductory video and blog post. To get the details, watch the deep dive Webinar (MP4, YouTube, Presentation) and read the blog post Extending Microsoft Sentinel: APIs, Integration, and management automation.
Short on time? watch the video
Microsoft Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring Your Own ML or BYOML for short. Obviously, this is intended for advanced users. If you are looking for built-in behavioral analytics, use our ML Analytic rules, UEBA module, or write your own behavioral analytics KQL based analytics rules.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.