Microsoft Sentinel – Cloud SIEM

Module 1: Microsoft Sentinel Overview and Architecture

• Cloud-native SIEM and SOAR concepts and advantages
• Microsoft Sentinel architecture: Log Analytics workspace, connectors, and analytics
• Sentinel pricing model: pay-as-you-go and commitment tiers
• Navigating the Sentinel portal: overview, incidents, and configuration

Module 2: Data Connectors and Log Ingestion

• Microsoft data connectors: Azure AD, Microsoft 365, Defender, and Azure services
• Third-party connectors: Palo Alto, Cisco, Fortinet, and AWS
• CEF and Syslog data collection via Log Analytics agent
• Custom log ingestion with DCR (Data Collection Rules) and custom tables

Module 3: KQL – Kusto Query Language

• KQL fundamentals: tables, operators, and data types
• Essential operators: where, project, summarize, join, and extend
• Time-based queries and time chart visualisations
• Building detection queries and threat hunting searches with KQL

Module 4: Analytics Rules and Incident Creation

• Scheduled analytics rules: KQL query, entity mapping, and alert grouping
• Microsoft Security incident creation rules for Defender products
• Anomaly detection rules: built-in ML-based behavioural analytics
• Near real-time (NRT) analytics rules for low-latency detection

Module 5: Incident Management and Investigation

• Incident queue: triage, assignment, and severity management
• Investigation graph: entity relationships and timeline visualisation
• Entity pages: user, host, IP, and URL enrichment and history
• Bookmarks and investigation notes for collaborative analysis

Module 6: SOAR – Automation with Playbooks

• Playbook architecture: Logic Apps triggers, actions, and connectors
• Automating incident response: notification, enrichment, and containment
• Automation rules: triggering playbooks and updating incident fields
• Custom playbooks for common SOC response workflows

Module 7: Threat Hunting and Workbooks

• Hunting queries: proactive threat searches using KQL
• Livestream: real-time event monitoring during active hunts
• Sentinel Workbooks: custom dashboard creation and visualisation
• MITRE ATT&CK coverage assessment in Sentinel

Module 8: Capstone Project and Assessment

• Sentinel workspace setup and data connector configuration
• KQL detection rule creation and incident investigation exercise
• SOAR playbook automation project for a common SOC use case
• Final assessment and course certification

Experience in the Industry Learn from Microsoft Sentinel-certified security engineers who have architected and operated cloud-native SIEM deployments for enterprises migrating from on-premise SIEM platforms to Azure-based security operations.

Backgrounds at the Top Our Microsoft Sentinel trainers have built detection engineering programmes, developed KQL threat hunting content, and automated SOC workflows using Sentinel and Microsoft Defender at leading organisations globally.

Clear & Effective Teaching Sentinel data connectors, KQL query language, analytics rules, incident management, SOAR playbooks, threat hunting, and workbook dashboards are taught clearly with real SOC analyst scenarios and hands-on demonstrations.

Hands-On Learning Focus Students configure data connectors, write KQL detection rules, investigate incidents, build Logic Apps playbooks, and create custom workbooks through comprehensive lab exercises in a Sentinel environment.

Up-to-Date Knowledge Trainers stay current with the latest Microsoft Sentinel feature releases, Microsoft Unified SOC platform updates, Copilot for Security integration, and evolving cloud-native SOC best practices.