This overview is based on the Blog post “Become an Azure Sentinel Ninja: The Complete Level 400 Training created by Ofer Shezaf
As not everyone has the same maturity level when starting their Azure Sentinel Learning Path, I created, with the help of Javier Soriano, a 3 level (Beginner/Advanced/Expert) approach to get to the level you want, often related to your role in the organisation.
Table of contents
Beginner (BDM, presales roles)
-
The Basics
-
Technical overview
-
Azure Sentinel role
-
Technical overview
-
Cloud architecture and multi-workspace/tenant support
-
Handling incidents
-
Hunting
-
Technical overview
-
Cloud architecture and multi-workspace/tenant support
-
KQL
-
Write rules
-
Creating playbooks
-
Developing workbooks
-
Hunting
-
Automating and integrating
-
Deploying and Managing Azure Sentinel as Code
-
Roadmap - since it requires an NDA, contact your Microsoft contact for details.
-
Where to go next?
-
Extra Resources
Beginner (BDM, presales roles)
The Basics
- (The real beginning!) Azure Fundamentals Learning Path
- What is Azure Sentinel? - Introduction Video 1, Video 2
- Global prerequisites + create a Log Analytics workspace
- Enable Azure Sentinel
- Connect data sources
- Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution
Technical overview (Level 200)
If you want to get an initial overview of Azure Sentinel’s technical capabilities
- Webinar: Video
- Webinar: Presentation (updated)
Learn more
You can read more about the features described in the Webinar here:
Azure Sentinel role (Level 200)
What is the typical use case for Azure Sentinel? What are customers finding in it, and also, how is it priced? All in this presentation
Learn more :
- Azure Sentinel pricing calculator
- Azure Sentinel and Log Analytics pricing pages
Advanced (Security Analyst)
Technical overview (Level 200)
If you want to get an initial overview of Azure Sentinel’s technical capabilities
- Webinar: Video
- Webinar: Presentation (updated)
Learn more
You can read more about the features described in the Webinar here:
Cloud architecture and multi-workspace/tenant support
An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. The first half of the Webinar above discusses Azure Sentinel’s workspace architecture.
- Webinar: Video
- Webinar: Presentation
- MSSP and Distributed Organization Support
- Webinar: Video
- Webinar: Presentation
Learn more
- Learn how to manage Azure Sentinel using CD/CI methodology and a GitHub repository in Deploying and Managing Azure Sentinel as Code as well as extend this capability across workspaces and tenants using Azure Lighthouse
- Use KQL queries in Azure Sentinel across workspaces to combine multiple workspaces into a single system
- Use resource RBAC to enable multiple teams to use a single workspace
- Use Azure Lighthouse to extend multi-workspace capabilities across tenants.
Handling incidents
After building your SOC, you need to start using it. Watch the day in a SOC analyst life to learn how to use Azure Sentinel in the SOC:
- Webinar: Video
- Webinar: Presentation
Hunting
Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.
- Hunting and Notebooks feature overview presentation
- Threat hunting webinar (Video) and presentations (Presentation 1, Presentation 2)
- Threat hunting revisited (Video, Presentation)
- Threat Hunting - AWS using Sentinel, webinar on April 22nd, register here
Learn more
- Why Use Jupyter for Security Investigations?
- Security Investigation with Azure Sentinel and Jupyter Notebooks (part 1, part 2, part 3)
- msticpy - Python Defender Tools
- What am I looking at? - Using Notebooks to gain situational awareness
- Explorer Notebook Series: The Linux Host Explorer
- Using Threat Intelligence in your Jupyter Notebooks
Expert (SOC engineer)
Technical overview (Level 200)
If you want to get an initial overview of Azure Sentinel’s technical capabilities
- Webinar: Video
- Webinar: Presentation (updated)
Learn more
You can read more about the features described in the Webinar here:
Cloud architecture and multi-workspace/tenant support
An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. The first half of the Webinar above discusses Azure Sentinel’s workspace architecture.
- Webinar: Video
- Webinar: Presentation
- MSSP and Distributed Organization Support
- Webinar: Video
- Webinar: Presentation
Learn more
- Learn how to manage Azure Sentinel using CD/CI methodology and a GitHub repository in Deploying and Managing Azure Sentinel as Code as well as extend this capability across workspaces and tenants using Azure Lighthouse
- Use KQL queries in Azure Sentinel across workspaces to combine multiple workspaces into a single system
- Use resource RBAC to enable multiple teams to use a single workspace
- Use Azure Lighthouse to extend multi-workspace capabilities across tenants.
KQL
Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, creating hunting queries or create workbooks, you use KQL.
The KQL Webinar is planned for June 2nd. Meanwhile, to learn KQL, use these resources:
In addition to KQL, to applying it to Azure Sentinel requires understanding the table schemas used by Azure Sentinel
Write rules
- Webinar: Video
- Webinar: Presentation
Learn more
- Azure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example
- Azure Sentinel correlation rules: the join KQL operator
- Implementing Lookups in Azure Sentinel
- Using KQL functions to speed up analysis in Azure Sentinel
Writing rules also requires understanding the table schemas used by Azure Sentinel
Creating playbooks
Start with the presentation
Learn more:
- Read about Logic Apps, which is the core technology driving Azure Sentinel playbooks.
- The Azure Sentinel Logic App connector is link between Logic Apps and Azure Sentinel
Developing workbooks
As we work to develop training materials for workbooks, start with the workbooks documentation
You might also want to refer to these workbook examples:
Hunting
Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.
- Hunting and Notebooks feature overview presentation
- Threat hunting webinar (Video) and presentations (Presentation 1, Presentation 2)
- Threat hunting revisited (Video, Presentation)
- Threat Hunting - AWS using Sentinel, webinar on April 22nd, register here
Learn more
- Why Use Jupyter for Security Investigations?
- Security Investigation with Azure Sentinel and Jupyter Notebooks (part 1, part 2, part 3)
- msticpy - Python Defender Tools
- What am I looking at? - Using Notebooks to gain situational awareness
- Explorer Notebook Series: The Linux Host Explorer
- Using Threat Intelligence in your Jupyter Notebooks
Advanced Topics
Extending and integrating Azure Sentinel
- Webinar: Video
- Webinar: Presentation
- Blog post: Extending Azure Sentinel: APIs, Integration and management automation
Deploying and Managing Azure Sentinel as Code
Roadmap
Since roadmap information is provided under NDA, please reach out to your Microsoft account team to discuss an Azure Sentinel roadmap presentation.
Where do I go from here?
- Join our Private Previews program
- Ask, or answer other on the Azure Sentinel Tech Community
- Submit feature requests using User voice
- Contribute or enhance rules, queries, workbooks, connectors and more to the community on the Azure Sentinel GitHub
- As a last resort, send an e-mail to AzureSentinel@microsoft.com
Extra Resources
- Build an Azure Sentinel Lab with prerecorded Data and a Custom Logs Pipe via ARM Templates 🚀 (Blog)
- Azure Sentinel’s Resources in one place! (Blog)
- PACKT: Learn Azure Sentinel (eBook/Print)
- MICROSOFT PRESS: Azure Sentinel Planning (eBook/Print)
- Implementing and Administering Azure Sentinel (Lynda.com)
- Step-by-Step Guide to Deploy Azure Sentinel (Blog)