Become an Azure Sentinel Ninja: The complete level 400 training

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

I have been delivering level 400 Azure Sentinel for a while, and over time most of the training modules were recorded as webinars. In this blog post, I try to walk you though Azure Sentinel level 400 training and help you become Azure Sentinel master.

 

Curriculum 

Curriculum.jpg

 

This training program includes 16 modules. For each module, the post includes a presentation, preferably recorder (when still not, we are working on the recording) as well as supporting information: relevant product documentation, blog posts, and other resources.

The modules listed below are split into five groups following the life cycle of a SOC:

 

Overview

- Module 1: Technical overview

- Module 2: Azure Sentinel role

 

Designing  Your Deployment

- Module 3: Cloud architecture and multi-workspace/tenant support

- Module 4: Collecting events

- Module 5: Log Management

- Module 6: Integrating threat intelligence

 

Creating Content

- Module 7: Kusto Query Language (KQL) - the starting point

- Module 8: Writing rules to implement detection

- Module 9: Creating playbooks to implement SOAR

- Module 10: Creating workbooks to implement dashboards and apps

- Module 11: Implementing use cases

 

Security Operations

- Module 12: A day in a SOC analyst's life, incident management, and investigation

- Module 13: Hunting

 

Advanced Topics

- Module 14: Automating and integrating 

- Module 15: Roadmap - since it requires an NDA, contact your Microsoft contact for details.

- Module 16: Where to go next?

 

What you will not find here?

 

 

Module 1: Technical overview

Start here

If you want to get an initial overview of Azure Sentinel's technical capabilities. The presentation also servers as the Azure Sentinel Level 200 presentation:

 

Learn more

You can read more about the features described in the Webinar here: 

 

Module 2: Azure Sentinel role

 

Still at level 200: what are the typical use for Azure Sentinel? What are customers finding in it, and also, how is it priced? All in this presentation

 

Learn more:

 

Module 3: Cloud architecture and multi-worksapce/tenant support

 

An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. The first half of the Webinar above discusses Azure Sentinel's workspace architecture.

 

Start here

  • Webinar (includes Module 4): MP4YouTube
  • Presentation (includes Module 4)
  • You may also want to register for the MSSP and distributed organization webinar on April 20th here.

Learn more

 

Module 4: Collecting events

 

Start here

Learn more

 

Module 5: Log Management

 

We are working on a presentation for this module, meanwhile here are some important pointers to learn more from:

 

 

Module 6: Threat Intelligence

 

Module 7: KQL

 

Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, creating hunting queries or create workbooks, you use KQL. 

 

The KQL Webinar is planned for June 2nd. Meanwhile, to learn KQL, use these resources:

In addition to KQL, to applying it to Azure Sentinel requires understanding the table schemas used by Azure Sentinel.

 

Module 8: Write rules

 

Start here

Learn more

Writing rules also requires understanding the table schemas used by Azure Sentinel.

 

Module 9: Creating playbooks

 

Start with the presentation.

 

Learn more:

 

Module 10: Developing workbooks

 

As we work to develop training materials for workbooks, start with the workbooks documentation.

 

You might also want to refer to these workbook examples:

 

Module 11: Use cases

 

Using connectors, rules, playbooks, and workbooks enable you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. This module focuses on helping you build use cases from the building blocks discussed so far.

 

Start Here

The Webinar "Tackling Identity" focuses on identity threat use cases: 

 

Learn more

 

Other use cases you can use as examples for developing your own or use as-is are:

 

Module 12: Handling incidents

 

Start Here

After building your SOC, you need to start using it. Watch the day in a SOC analyst life to learn how to use Azure Sentinel in the SOC: 

 

Module 13: Hunting

 

Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.

 

Start here

Learn more

 

Module 14: Extending and integrating Azure Sentinel

 

 

Module 15: Roadmap

 

Since roadmap information is provided under NDA, please reach out to your Microsoft account team to discuss an Azure Sentinel roadmap presentation. 

 

Module 16: Where do I go from here?

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.