Microsoft Sentinel Resources

Below you will find content to assist in skilling on Microsoft Sentinel. Content is organized by increasing levels of complexity (Fundamentals, Associate) followed by other associated critical resources.

May 2024 Update📰

• NEW: SOAR Capabilities in Microsoft Sentinel
• NEW: Continuously import Threat Intelligence (TI) Indicators in Microsoft Sentinel
• NEW: Migrate to Microsoft Sentinel with the new SIEM Migration Experience (Preview)
• NEW: Data Connectors: MMA vs AMA
• NEW: Data Connectors: AWS vs AWS S3
• Before and After Archive Tier
• Before and After Data Collection Rules (DCRs)
• Updated Workbook for User and Entity Behavior Analytics (UEBA)
• Quality Assurance in Microsoft Sentinel: How to ensure accurate threat detections?
• MSFT Blog: New Playbooks with tasks for BEC, Ransomware, and Phishing investigations

Fundamentals

• Microsoft Sentinel Technical Playbook for MSSPs
• Microsoft Sentinel Pricing
• GitHub: Microsoft Sentinel Repository
• GitHub: KQL for Microsoft Sentinel Lab & Queries
• GitHub: Threat Hunting & Detecting using KQL Queries

Building a Demo. Instance🚀

Use these steps to build a demo instance; free for one month

1. Microsoft Sentinel All In One -> Accelerate Microsoft Sentinel deployment and configuration with just a few clicks.
2. GitHub: Microsoft Sentinel Training Lab
3. Connect Microsoft Entra to Microsoft Sentinel
4. GitHub: Possible Additional Data
   • Microsoft Sentinel 2-Go is an open-source project developed to expedite the deployment of a Microsoft Sentinel lab along with resources

Ninja Trainings

• Microsoft Sentinel Ninja Training
• Microsoft Sentinel Automation Ninja Training
• Microsoft Defender Threat Intelligence Ninja Training
• Microsoft Sentinel Notebooks Ninja Training

Ingestion

• Microsoft Sentinel Migration: Select Target Azure Platform for Exported Data
• Microsoft Sentinel Migration: Select Data Ingestion Tool
• Community: Refactoring Data Ingestion Costs
• Find your Microsoft Sentinel Data Connector
• Resources for creating Microsoft Sentinel Custom Connectors

Retention

• What is a free Azure Data Explorer Cluster?

Microsoft Sentinel and Log Analytics offer ingestion & 90-day retention of some data at no cost, including:

• Azure Activity Logs
• Office 365 Audit Logs (e.g., SharePoint activity, Exchange activity, Teams)
• Alerts from Microsoft Defender products
• Azure Information Protection Alerts
• Microsoft Defender for IoT Alerts

Associate

• Design your Microsoft Sentinel Workspace Architecture
• MSFT Blog: Elevating Cybersecurity Intelligence with Microsoft Sentinel’s New Enrichment Widgets

Azure Lighthouse

• Delegate Access using Azure Lighthouse for a Sentinel POC
• Azure Lighthouse & Microsoft Sentinel: Assigning Access to Managed Identities in Customer Tenant

Build a Security Operations Center (SOC)

• MSSPs and Identity: Considerations for Tenant Architecture & Delegating Access to SOC analysts
• Protecting MSSP Intellectual Property in Microsoft Sentinel

KQL

• MustLearnKQL Blog Series
• KQL Cheat Sheet
• KQL Search
• SQL to KQL Cheat Sheet

SOAR

• STAT – The Microsoft Sentinel Triage Assistant (STAT) uses modular playbooks and a Logic App Custom Connector to simplify the process through reusable content
• Sample Integrations with Azure OpenAI

MDTI

• MSFT Blog: Performing a Successful Proof of Concept (PoC)

Notebooks

• Get Started with Jupyter Notebooks & MSTICPy in Microsoft Sentinel