Microsoft Sentinel Resources
Below you will find content to assist in skilling on Microsoft Sentinel. Content is organized by increasing levels of complexity (Fundamentals, Associate) followed by other associated critical resources.
May 2024 Update📰
- NEW: SOAR Capabilities in Microsoft Sentinel
- NEW: Continuously import Threat Intelligence (TI) Indicators in Microsoft Sentinel
- NEW: Migrate to Microsoft Sentinel with the new SIEM Migration Experience (Preview)
- NEW: Data Connectors: MMA vs AMA
- NEW: Data Connectors: AWS vs AWS S3
- Before and After Archive Tier
- Before and After Data Collection Rules (DCRs)
- Updated Workbook for User and Entity Behavior Analytics (UEBA)
- Quality Assurance in Microsoft Sentinel: How to ensure accurate threat detections?
- MSFT Blog: New Playbooks with tasks for BEC, Ransomware, and Phishing investigations
Fundamentals
- Microsoft Sentinel Technical Playbook for MSSPs
- Microsoft Sentinel Pricing
- GitHub: Microsoft Sentinel Repository
- GitHub: KQL for Microsoft Sentinel Lab & Queries
- GitHub: Threat Hunting & Detecting using KQL Queries
Building a Demo. Instance🚀
Use these steps to build a demo instance; free for one month
- Microsoft Sentinel All In One -> Accelerate Microsoft Sentinel deployment and configuration with just a few clicks.
- GitHub: Microsoft Sentinel Training Lab
- Connect Microsoft Entra to Microsoft Sentinel
- GitHub: Possible Additional Data
- Microsoft Sentinel 2-Go is an open-source project developed to expedite the deployment of a Microsoft Sentinel lab along with resources
Ninja Trainings
- Microsoft Sentinel Ninja Training
- Microsoft Sentinel Automation Ninja Training
- Microsoft Defender Threat Intelligence Ninja Training
- Microsoft Sentinel Notebooks Ninja Training
Ingestion
- Microsoft Sentinel Migration: Select Target Azure Platform for Exported Data
- Microsoft Sentinel Migration: Select Data Ingestion Tool
- Community: Refactoring Data Ingestion Costs
- Find your Microsoft Sentinel Data Connector
- Resources for creating Microsoft Sentinel Custom Connectors
Retention
Microsoft Sentinel and Log Analytics offer ingestion & 90-day retention of some data at no cost, including:
- Azure Activity Logs
- Office 365 Audit Logs (e.g., SharePoint activity, Exchange activity, Teams)
- Alerts from Microsoft Defender products
- Azure Information Protection Alerts
- Microsoft Defender for IoT Alerts
Associate
- Design your Microsoft Sentinel Workspace Architecture
- MSFT Blog: Elevating Cybersecurity Intelligence with Microsoft Sentinel’s New Enrichment Widgets
Azure Lighthouse
- Delegate Access using Azure Lighthouse for a Sentinel POC
- Azure Lighthouse & Microsoft Sentinel: Assigning Access to Managed Identities in Customer Tenant
Build a Security Operations Center (SOC)
- MSSPs and Identity: Considerations for Tenant Architecture & Delegating Access to SOC analysts
- Protecting MSSP Intellectual Property in Microsoft Sentinel
KQL
SOAR
- STAT – The Microsoft Sentinel Triage Assistant (STAT) uses modular playbooks and a Logic App Custom Connector to simplify the process through reusable content
- Sample Integrations with Azure OpenAI