I have been delivering level 400 Azure Sentinel for a while, and over time most of the training modules were recorded as webinars. In this blog post, I try to walk you through Azure Sentinel level 400 training and help you become Azure Sentinel master.

Already did the Ninja training, focus only on recent updates!

Curriculum

This training program includes 16 modules. For each module, the post includes a presentation, preferably recorder (when still not, we are working on the recording) as well as supporting information: relevant product documentation, blog posts, and other resources.



The modules listed below are split into five groups following the life cycle of a SOC:

Overview

- Module 1: Technical overview

- Module 2: Azure Sentinel role

Designing Your Deployment

- Module 3: Cloud architecture and multi-workspace/tenant support

- Module 4: Collecting events

- Module 5: Log Management

- Module 6: Integrating threat intelligence

Creating Content

- Module 7: Kusto Query Language (KQL) - the starting point

- Module 8: Writing rules to implement detection

- Module 9: Creating playbooks to implement SOAR

- Module 10: Creating workbooks to implement dashboards and apps

- Module 11: Implementing use cases

Security Operations

- Module 12: A day in a SOC analyst's life, incident management, and investigation

- Module 13: Hunting

Advanced Topics

- Module 14: Automating and integrating

- Module 15: Roadmap - since it requires an NDA, contact your Microsoft contact for details.

- Module 16: Where to go next?

What you will not find here?

Basic procedures, including onboarding Azure Sentinel and connecting data sources are best described in the documentation.

Module 1: Technical overview

Module 2: How is Azure Sentinel used?

Module 3: Cloud architecture and multi-workspace/tenant support

An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. A special use case is providing service using Azure Sentinel, for example by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization.

Module 4: Collecting events

Module 5: Log Management

We are working on a presentation for this module, meanwhile here are some important pointers to learn more from:

Storage Management

Logs Security

Visualization and analysis

Module 6: Threat Intelligence

Module 7: KQL

Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, creating hunting queries or create workbooks, you use KQL. We suggest you follow this Sentinel KQL journey:

Pluralsight KQL course - the basics

Pluralight Advanced KQL course

The Azure Sentinel KQL Lab:

an interactive lab teaching KQL focusing on what you need for Azure Sentinel: Deck, Lab URL;

A Jupyter Notebooks version contrinuted by jjsantanna, which let you test the queries within the notebook.

Learning webinar: Youtube, MP4;

Reviewing lab solutions webinar: YouTube, MP4

Optimizing Azure Sentinel KQL queries performance: YouTube, MP4, Deck

Continue with module 8 below, on how to write rules, and module 11, bringing many useful examples

Module 8: Write rules

Module 9: Creating playbooks

Module 10: Workbooks, reporting and visualization

Module 11: Use cases

Using connectors, rules, playbooks, and workbooks enable you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. This module focuses on helping you build use cases from the building blocks discussed so far.

Module 12: Handling incidents

After building your SOC, you need to start using it. Watch the "day in a SOC analyst life" webinar to learn how to use Azure Sentinel in the SOC: YouTube, MP4, Presentation

Module 13: Hunting

Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.

Module 14: Extending and integrating Azure Sentinel

Module 15: Roadmap

Since roadmap information is provided under NDA, please reach out to your Microsoft account team to discuss an Azure Sentinel roadmap presentation.

Module 16: Where do I go from here?