I have been delivering level 400 Azure Sentinel for a while, and over time most of the training modules were recorded as webinars. In this blog post, I try to walk you through Azure Sentinel level 400 training and help you become Azure Sentinel master.
Already did the Ninja training, focus only on recent updates!
This training program includes 16 modules. For each module, the post includes a presentation, preferably recorder (when still not, we are working on the recording) as well as supporting information: relevant product documentation, blog posts, and other resources.
The modules listed below are split into five groups following the life cycle of a SOC:
– Module 1: Technical overview
– Module 2: Azure Sentinel role
Designing Your Deployment
– Module 3: Cloud architecture and multi-workspace/tenant support
– Module 4: Collecting events
– Module 5: Log Management
– Module 6: Integrating threat intelligence
– Module 7: Kusto Query Language (KQL) – the starting point
– Module 8: Writing rules to implement detection
– Module 9: Creating playbooks to implement SOAR
– Module 10: Creating workbooks to implement dashboards and apps
– Module 11: Implementing use cases
– Module 12: A day in a SOC analyst’s life, incident management, and investigation
– Module 13: Hunting
– Module 14: Automating and integrating
– Module 15: Roadmap – since it requires an NDA, contact your Microsoft contact for details.
– Module 16: Where to go next?
What you will not find here?
Module 1: Technical overview
If you want to get an initial overview of Azure Sentinel’s technical capabilities. The presentation also serves as the Azure Sentinel Level 200 presentation:
|Want only a bird eye view?||
If you just want to understand what Azure Sentinel is, my favorite stating point is Sarah Young’s layback video interview on Azure Sentinel. Adwait Joshi and Ram Shankar’s series is also good to watch:
Module 2: How is Azure Sentinel used?
|Start Here||Still at level 200: what are the typical use for Azure Sentinel? What are customers finding in it, and also, how is it priced? All in this presentation|
|As part of Microsoft Seucity stack|
|The side by side use case|
|The MSSP use case||
Most information about MSSP support is included in the next Module, cloud architecture and mult-tenant support. In aMSSPs will find this useful:
|Learn from users||
Thousands of organizations and service providers are using Azure Sentinel. As usual with security products, most do not go public about that. Still there are some.
|Learn from Analysts|
Module 3: Cloud architecture and multi-workspace/tenant support
An Azure Sentinel instance is called a workspace. Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. A special use case is providing service using Azure Sentinel, for example by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization.
Module 4: Collecting events
Module 5: Log Management
We are working on a presentation for this module, meanwhile here are some important pointers to learn more from:
- Using Azure Data Explorer for long term retention of Azure Sentinel logs, and if you want to use another system for long term retention, export from Azure Sentinel / Log Analytics to Azure Storage or an Event Hub.
- Move Logs to Long-Term Storage using Logic Apps
- Set fine-grained retention periods using table level retention settings (and documentation)
- Manage access to data using table Level RBAC
- Use resource RBAC to enable multiple teams to use a single workspace.
- Manage PII management delete data from your workspaces
- Audit queries documentation and a blog on how to use them
Visualization and analysis
Module 6: Threat Intelligence
Module 7: KQL
Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, creating hunting queries or create workbooks, you use KQL. We suggest you follow this Sentinel KQL journey:
Pluralsight KQL course – the basics
The Azure Sentinel KQL Lab:
- an interactive lab teaching KQL focusing on what you need for Azure Sentinel: Deck, Lab URL;
- A Jupyter Notebooks version contrinuted by jjsantanna, which let you test the queries within the notebook.
- Learning webinar: Youtube, MP4;
- Reviewing lab solutions webinar: YouTube, MP4
Continue with module 8 below, on how to write rules, and module 11, bringing many useful examples
- KQL Cheat Sheet
- In addition to KQL, to applying it to Azure Sentinel requires understanding the schema used by Azure Sentinel for keys Microsoft and 3rd party sources and for most other Azure sources
- Functions: Using KQL functions to speed up analysis in Azure Sentinel and Enriching Windows Security Events with Parameterized Function
Module 8: Write rules
Module 9: Creating playbooks
Module 9: Creating playbooks
Module 10: Workbooks, reporting and visualization
|Start Here||Watch the Webinar: YouTube, MP4, Deck|
We have some really cool workbooks that you can use, but also learn from how to build your own:
Module 11: Use cases
Using connectors, rules, playbooks, and workbooks enable you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. This module focuses on helping you build use cases from the building blocks discussed so far.
Other use cases you can use as examples for developing your own or use as-is are:
Use cases focus: working from home
Module 12: Handling incidents
Module 13: Hunting
Whatever is your methodology and use case for hunting, Azure Sentinel is a great hunting platform.
(Note that the Webinar starts with an update on new features, to learn about hunting start at slide 12. The Youtbute link is already set to start there)
Module 14: Extending and integrating Azure Sentinel
API usage examples
Module 15: Roadmap
Since roadmap information is provided under NDA, please reach out to your Microsoft account team to discuss an Azure Sentinel roadmap presentation.
Module 16: Where do I go from here?
- Join our Private Previews program
- Keep track of what’s new
- Ask, or answer other on the Azure Sentinel Tech Community
- Premier customer? You might want the on-site (or remote these days) Azure Sentinel Fundamentals 5 days workshop.
- Submit feature requests using User voice
- Contribute or enhance rules, queries, workbooks, connectors and more to the community on the Azure Sentinel GitHub
- As a last resort, send an e-mail to AzureSentinel@microsoft.com