Microsoft Sentinel Resources
Below, you’ll find resources to help you upskill on Microsoft Sentinel. Content is arranged by increasing levels of complexity (Fundamentals, Associate) followed by other associated essential resources.
September 2024 Update📰
- NEW: Optimize Costs using Auxiliary Logs for Verbose Logging – Auxiliary Logs = Basic Logs + Archive Tier
- NEW: SIEM Migration Update: Now Migrate with Contextual Depth in translations with Microsoft Sentinel – The SIEM Migration Experience now supports Schema Mapping, Splunk Macros in translation, and Splunk Lookups in translation
- NEW: Hunting with Microsoft Graph activity logs – Microsoft Graph is a unified REST API endpoint that provides access to a suite of services including Microsoft 365, Enterprise Mobility + Security, and Windows
- NEW: Announcing Microsoft Sentinel All-in-One v2 – Microsoft Sentinel All-in-One helps customers and partners quickly deploy a ready-to-use Microsoft Sentinel environment
- Hunting for MFA manipulations in Entra ID tenants using KQL) – Unrelated to Sentinel, but learn how to use KQL to detect and investigate modifications to MFA properties in Microsoft Entra audit logs
- Migrate to Microsoft Sentinel with the new SIEM Migration Experience (Preview)
- Data Connectors: MMA vs AMA
- Data Connectors: AWS vs AWS S3
- Before and After Archive Tier
- Before and After Data Collection Rules (DCRs)
Fundamentals
- Microsoft Sentinel Technical Playbook for MSSPs
- Microsoft Sentinel Pricing Calculator v2
- Microsoft Sentinel Pricing
- GitHub: Microsoft Sentinel Repository
- GitHub: KQL for Microsoft Sentinel Lab & Queries
- GitHub: Threat Hunting & Detecting using KQL Queries
Building a Demo. Instance🚀
Use these steps to build a demo instance; free for one month
- Microsoft Sentinel All In One -> Accelerate Microsoft Sentinel deployment and configuration with just a few clicks.
- GitHub: Microsoft Sentinel Training Lab
- Connect Microsoft Entra to Microsoft Sentinel
Ninja Trainings
- Microsoft Sentinel Ninja Training
- Microsoft Sentinel Automation Ninja Training
- Microsoft Defender Threat Intelligence Ninja Training
- Microsoft Sentinel Notebooks Ninja Training
Ingestion
- Microsoft Sentinel Migration: Select Target Azure Platform for Exported Data
- Microsoft Sentinel Migration: Select Data Ingestion Tool
- Community: Refactoring Data Ingestion Costs
- Find your Microsoft Sentinel Data Connector
- Resources for creating Microsoft Sentinel Custom Connectors
Retention
Microsoft Sentinel and Log Analytics offer ingestion & 90-day retention of some data at no cost, including:
- Azure Activity Logs
- Microsoft Sentinel Health
- Office 365 Audit Logs (e.g., SharePoint activity, Exchange activity, Teams)
- Alerts from Microsoft Defender products (e.g., Microsoft Defender XDR, Microsoft Defender for Cloud, etc.)
- Azure Information Protection Alerts
- Microsoft Defender for IoT Alerts
Associate
- Design your Microsoft Sentinel Workspace Architecture
- Community: Quality Assurance in Microsoft Sentinel: How to ensure accurate threat detections?
- MSFT Blog: Elevating Cybersecurity Intelligence with Microsoft Sentinel’s New Enrichment Widgets
Azure Lighthouse
- Delegate Access using Azure Lighthouse for a Sentinel POC
- Azure Lighthouse & Microsoft Sentinel: Assigning Access to Managed Identities in Customer Tenant
Build a Security Operations Center (SOC)
- MSSPs and Identity: Considerations for Tenant Architecture & Delegating Access to SOC analysts
- Protecting MSSP Intellectual Property in Microsoft Sentinel
KQL
SOAR
- Community: SOAR Capabilities in Microsoft Sentinel
- STAT – The Microsoft Sentinel Triage Assistant (STAT) uses modular playbooks and a Logic App Custom Connector to simplify the process through reusable content
- Sample Integrations with Azure OpenAI