This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
I have been delivering level 400 Azure Sentinel for a while, and over time most of the training modules were recorded as webinars. In this blog post, I try to walk you though Azure Sentinel level 400 training and help you become Azure Sentinel master.
Curriculum
This training program includes 16 modules. For each module, the post includes a presentation, preferably recorder (when still not, we are working on the recording) as well as supporting information: relevant product documentation, blog posts, and other resources.
The modules listed below are split into five groups following the life cycle of a SOC:
Overview
- Module 1: Technical overview
- Module 2: Azure Sentinel role
Designing Your Deployment
- Module 3: Cloud architecture and multi-workspace/tenant support
- Module 4: Collecting events
- Module 5: Log Management
- Module 6: Integrating threat intelligence
Creating Content
- Module 7: Kusto Query Language (KQL) - the starting point
- Module 8: Writing rules to implement detection
- Module 9: Creating playbooks to implement SOAR
- Module 10: Creating workbooks to implement dashboards and apps
- Module 11: Implementing use cases
Security Operations
- Module 12: A day in a SOC analyst's life, incident management, and investigation
- Module 13: Hunting
Advanced Topics
- Module 14: Automating and integrating
- Module 15: Roadmap - since it requires an NDA, contact your Microsoft contact for details.
- Module 16: Where to go next?
What you will not find here?
- Basic procedures, including onboarding Azure Sentinel and connecting data sources are best described in the documentation.
Module 1: Technical overview
Start here
If you want to get an initial overview of Azure Sentinel's technical capabilities. The presentation also servers as the Azure Sentinel Level 200 presentation:
- Webinar: MP4, YouTube
- Presentation (updated)
Learn more
You can read more about the features described in the Webinar here:
Module 2: Azure Sentinel role
Still at level 200: what are the typical use for Azure Sentinel? What are customers finding in it, and also, how is it priced? All in this presentation
Learn more:
- Azure Sentinel pricing calculator
- Azure Sentinel and Log Analytics pricing pages
Module 3: Cloud architecture and multi-worksapce/tenant support
An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. The first half of the Webinar above discusses Azure Sentinel's workspace architecture.
Start here
- Webinar (includes Module 4): MP4, YouTube
- Presentation (includes Module 4)
- You may also want to register for the MSSP and distributed organization webinar on April 20th here.
Learn more
- Learn how to manage Azure Sentinel using CD/CI methodology and a GitHub repository in Deploying and Managing Azure Sentinel as Code as well as extend this capability across workspaces and tenants using Azure Lighthouse.
- Use KQL queries in Azure Sentinel across workspaces to combine multiple workspaces into a single system.
- Use resource RBAC to enable multiple teams to use a single workspace.
- Use Azure Lighthouse to extend multi-workspace capabilities across tenants.
Module 4: Collecting events
Start here
- Webinar (includes Module 3): MP4, YouTube
- Presentation (includes Module 3)
Learn more
- Formal documentation about the built-in connectors
- Syslog, CEF and other 3rd party connectors grand list
- Collecting telemetry from on-prem and IaaS server using the Log Analytics agent
- Creating Custom Connectors
Module 5: Log Management
We are working on a presentation for this module, meanwhile here are some important pointers to learn more from:
- Manage access to data using table Level RBAC
- Set fine-grained retention periods using table-level retention settings
- Manage PII management delete data from your workspaces
Module 6: Threat Intelligence
Start here:
- Webinar: YouTube, MP4
- Presentation
- The blog post "bring your threat intelligence to Azure Sentinel."
Learn more
- Use TAXII to connect X-Force threat intelligence
- Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel
Module 7: KQL
Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, creating hunting queries or create workbooks, you use KQL.
The KQL Webinar is planned for June 2nd. Meanwhile, to learn KQL, use these resources:
In addition to KQL, to applying it to Azure Sentinel requires understanding the table schemas used by Azure Sentinel.
Module 8: Write rules
Start here
- Webinar: MP4, YouTube
- Presentation (updated)
Learn more
- Azure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example
- Azure Sentinel correlation rules: the join KQL operator
- Implementing Lookups in Azure Sentinel
- Using KQL functions to speed up analysis in Azure Sentinel
Writing rules also requires understanding the table schemas used by Azure Sentinel.
Module 9: Creating playbooks
Start with the presentation.
Learn more:
- Read about Logic Apps, which is the core technology driving Azure Sentinel playbooks.
- The Azure Sentinel Logic App connector is link between Logic Apps and Azure Sentinel
Module 10: Developing workbooks
As we work to develop training materials for workbooks, start with the workbooks documentation.
You might also want to refer to these workbook examples:
Module 11: Use cases
Using connectors, rules, playbooks, and workbooks enable you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. This module focuses on helping you build use cases from the building blocks discussed so far.
Start Here
The Webinar "Tackling Identity" focuses on identity threat use cases:
- Webinar: YouTube, MP4
- Presentation
Learn more
Other use cases you can use as examples for developing your own or use as-is are:
- Performing Additional Security Monitoring of High-Value Accounts
- See the GitHub for a comprehensive repository of use cases.
- Azure Sentinel Insecure Protocols Dashboard Implementation Guide
- Audit Scheduled tasks using Azure Sentinel
- Sentinel ATT&CK detection rules and presentation.
- Time Series visualization of Palo Alto logs to detect data exfiltration*
- Use Azure Monitor Workbooks to map Sentinel data
Module 12: Handling incidents
Start Here
After building your SOC, you need to start using it. Watch the day in a SOC analyst life to learn how to use Azure Sentinel in the SOC:
- Webinar: MP4, YouTube
- Presentation
Module 13: Hunting
Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.
Start here
- Hunting and Notebooks feature overview presentation.
- Threat hunting webinar (MP4, YouTube) and presentations (Deck 1, Deck 2)
- Threat hunting revisited (MP4, YouTube, Presentation)
- Threat Hunting - AWS using Sentinel, webinar on April 22nd, register here.
Learn more
- Why Use Jupyter for Security Investigations?
- Security Investigation with Azure Sentinel and Jupyter Notebooks (part 1, part 2, part 3)
- msticpy - Python Defender Tools
- What am I looking at? - Using Notebooks to gain situational awareness
- Explorer Notebook Series: The Linux Host Explorer
- Using Threat Intelligence in your Jupyter Notebooks
Module 14: Extending and integrating Azure Sentinel
- Webinar: MP4, YouTube
- Presentation (updated)
- Blog post: Extending Azure Sentinel: APIs, Integration and management automation
Module 15: Roadmap
Since roadmap information is provided under NDA, please reach out to your Microsoft account team to discuss an Azure Sentinel roadmap presentation.
Module 16: Where do I go from here?
- Join our Private Previews program
- Ask, or answer other on the Azure Sentinel Tech Community
- Submit feature requests using User voice
- Contribute or enhance rules, queries, workbooks, connectors and more to the community on the Azure Sentinel GitHub
- As a last resort, send an e-mail to AzureSentinel@microsoft.com