Name: Microsoft Sentinel course with hands on sims for beginners
Rating: 4.7 (784 reviews)

Udemy Business

Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byJohn Christopher | 500,000+ enrollments

Last updated 2/2026

English

What you'll learn

Learn the concepts and perform hands on activities needed to master Microsoft Sentinel (SOAR and SIEM)
Gain a tremendous amount of knowledge involving Microsoft Sentinel (SOAR and SIEM)
Learn using hands on simulations on how to manage Microsoft Sentinel (SOAR and SIEM)
Learn how to set up your own test lab for practicing the concepts!

Course content

10 sections • 60 lectures • 6h 49m total length

Welcome to the course!4:45
Understanding the Microsoft 365 and Azure Environment1:48
Foundations of Active Directory Domains12:11
Foundations of RAS, DMZ, and Virtualization13:09
Foundations of the Microsoft Cloud Services17:14
Explore Microsoft cloud services foundations, including IaaS with Azure, PaaS and SaaS in Microsoft 365, and how Intra ID synchronizes identities between on premise and cloud via Azure AD Connect.
DONT SKIP: The first thing to know about Microsoft cloud services2:10
DO NOT SKIP: Portals renamed!1:51
Keep up with Microsoft portal renames, from Azure Active Directory to IntraID, and access updated links at portals.examlabpractice.com, including admin.microsoft.com, defender.microsoft.com, purview.microsoft.com, and intune.microsoft.com.
Questions for John Christopher5:42
Certificate of Completion0:33

Overview of Microsoft Sentinel8:44
Configuring a Microsoft Sentinel workspace4:36
Configure a Microsoft Sentinel workspace by creating a Log Analytics workspace, reviewing prerequisites and pricing, and attaching Microsoft Sentinel to enable security analytics.
Managing roles regarding Sentinel5:29
Managing log types, log retention, and data storage in Sentinel3:53
Learn how Sentinel handles log types, stores logs in a log analytics workspace, and controls log retention with 30-day retention and long-term archive up to 12 years.
SIMULATION: Assign JC to the Microsoft Sentinel Contributor role
DONT SKIP: Redoing simulations in the course1:45
Learn how to redo simulations in the Microsoft Sentinel beginners course by navigating to the summary, returning to the assignment, and opening instructions to access the simulation link anytime.

Microsoft Sentinel data source identification4:59
Content hub solutions in Microsoft Sentinel4:58
Kusto Query Language (KQL) will get covered later in the course1:12
Microsoft connectors for Azure, including Azure Policy & diagnostics4:58
Azure Monitor Agent (AMA) and data collection rules8:26
Using Syslog and Common Event Format (CEF) event collections7:44
Working with Windows Security events and Windows Event7:14
How to create custom log tables in the workspace2:36
Ingesting Azure and Entra ID data6:29
Configure Microsoft Sentinel data connectors for Azure Activity and Microsoft Entra ID, ingesting sign-in logs and graph activity into a Log Analytics workspace via Azure Policy and diagnostic settings.
Monitoring data ingestion3:38
SIMULATION: Setup the Sentinel Entra ID data connector to ingest SigninLogs...

Using entities for classification and analysis10:57
Explore how entities in Microsoft Sentinel classify and enrich security data, map fields to entity types, and support UBA, threat hunting, and automated responses. This enables incident investigations.
Understanding analytics rules in Microsoft Sentinel5:30
Working with analytics rules17:30
Advanced Security Information Model(ASIM) queries with Microsoft Sentinel13:06
Behavioral analytics in Microsoft Sentinel5:12
SIMULATION: Enable behavior analytics for Entra ID...

Incident investigation and remediation in Microsoft Sentinel12:41
Configure permissions for incident investigation by assigning the Microsoft Sentinel Responder role in the Azure IAM blade, then investigate incidents, view incident graphs and evidence, and reset passwords as needed.
Concepts of automation rules and Microsoft Sentinel playbooks7:00
Explore how Microsoft Sentinel automation rules automate incident tasks, assign severity, and standardize triage, while playbooks perform actions like enrichment and remediation across teams.
Working with automation rules in Microsoft Sentinel3:25
Working with playbooks in Microsoft Sentinel9:19
Concepts of running playbooks against on-premises resources7:17
Discover how Microsoft Sentinel playbooks run on premises via a hybrid runbook worker connected to an Azure Automation account, enabling on-premises tasks from Azure-based playbooks.
SIMULATION: Create a Sentinel automation rule that assigns JC...

Concepts of Kusto Query Language (KQL)12:19
Using Microsoft's demo environment for learning KQL2:50
Using basic KQL syntax13:50
Filtering based on time ranges with KQL13:28
Learn to filter security events in Microsoft Sentinel with KQL using dynamic time ranges. Summarize results with count and distinct count, and identify top sources.
Displaying columns, amounts and characters with KQL8:02
Working with variables and combining output data with KQL7:23
Looking at threats analytics by using KQL in Defender15:24
Using Microsoft's Sentinel and Defender repository for hunting queries2:20

Using the MITRE ATT&CK matrix9:51
Explore how the MITRE ATT&CK framework maps attacker techniques to tactics in enterprise environments, and how Microsoft Sentinel uses this blueprint to classify threats and guide investigations.
Working with threat indicators18:45
Explore threat indicators (IOCs) and how Microsoft Sentinel uses threat intelligence, content hub, and data connectors to ingest indicators and automatically generate alerts or incidents from logs and network data.
Working with hunts in Microsoft Sentinel5:52
How to monitor hunting queries4:44
Using hunting bookmarks2:50
Restoring archived log data5:54
Working with search jobs3:38
Explore the Microsoft Sentinel search experience to quickly query log data using Kusto queries, focusing on sign-in logs and other tables, with saved searches for 14 days and archiving options.
Using workbook templates4:04
Explore workbook templates in Microsoft Sentinel to visualize data quickly from the content hub. Customize the time range and user filters, and view templates for audit logs and role management.
Using custom workbooks that include KQL4:25
Adjusting workbook visualizations1:49
SIMULATION: Create a hunt for Suspicious Sign-Ins. Assign to JC...
SIMULATION: Create a workbook that querys SigninLogs...

Requirements

Willingness to put in the time and practice the steps shown in the course

Description

We really hope you'll agree, this training is way more than the average course on Udemy!

Have access to the following:

Training from an instructor of over 20 years who has trained thousands of people and also a Microsoft Certified Trainer
Lecture that explains the concepts in an easy to learn method for someone that is just starting out with this material
Instructor led hands on and simulations to practice that can be followed even if you have little to no experience

TOPICS COVERED INCLUDING HANDS ON LECTURE AND PRACTICE TUTORIALS:

Introduction

Welcome to the course
Understanding the Microsoft Environment
Foundations of Active Directory Domains
Foundations of RAS, DMZ, and Virtualization
Foundations of the Microsoft Cloud Services
DONT SKIP: The first thing to know about Microsoft cloud services
DONT SKIP: Azure AD is now renamed to Entra ID
Questions for John Christopher

Performing hands on activities

DONT SKIP: Using Assignments in the course
Creating a free Microsoft 365 Account
Getting your free Azure credit

Understanding and setting up a Microsoft Sentinel Workspace

Overview of Microsoft Sentinel
Configuring a Microsoft Sentinel workspace
Managing roles regarding Sentinel
Managing log types, log retention, and data storage in Sentinel

Working with data connectors and ingestion in Microsoft Sentinel

Microsoft Sentinel data source identification
Content hub solutions in Microsoft Sentinel
Kusto Query Language (KQL) will get covered later in the course
Microsoft connectors for Azure, including Azure Policy & diagnostics
Azure Monitor Agent (AMA) and data collection rules
Using Syslog and Common Event Format (CEF) event collections
Working with Windows Security events and Windows Event Forwarding (WEF) collections
How to create custom log tables in the workspace
Ingesting Azure and Entra ID data
Monitoring data ingestion

Using analytics rules in Microsoft Sentinel

Using entities for classification and analysis
Understanding analytics rules in Microsoft Sentinel
Working with analytics rules
Advanced Security Information Model(ASIM) queries with Microsoft Sentinel
Behavioral analytics in Microsoft Sentinel

Dealing with incidents in Microsoft Sentinel

Incident investigation and remediation in Microsoft Sentinel
Concepts of automation rules and Microsoft Sentinel playbooks
Working with automation rules in Microsoft Sentinel
Working with playbooks in Microsoft Sentinel
Concepts of running playbooks against on-premises resources

Understanding hunting with Kusto Query Language (KQL)

Concepts of Kusto Query Language (KQL)
Using Microsoft's demo environment for learning KQL
Using basic KQL syntax
Filtering based on time ranges with KQL
Displaying columns, amounts and characters with KQL
Working with variables and combining output data with KQL
Looking at threats analytics by using KQL in Defender
Using Microsoft's Sentinel and Defender repository for hunting queries

Threat hunting with queries and managing workbooks

Using the MITRE ATT&CK matrix
Working with threat indicators
Working with hunts in Microsoft Sentinel
How to monitor hunting queries
Using hunting bookmarks
Restoring archived log data
Working with search jobs
Using workbook templates
Using custom workbooks that include KQL
Adjusting workbook visualizations

Conclusion

Cleaning up your lab environment
Getting a Udemy certificate
BONUS Where do I go from here?

Who this course is for:

IT people interested in learning a tremendous amount about Microsoft Sentinel (SOAR and SIEM)

What you'll learn

Explore related topics

Course content

Introduction9 lectures • 59min

Performing hands on activities4 lectures • 30min

Understanding and setting up a Microsoft Sentinel Workspace5 lectures • 24min

Working with data connectors and ingestion in Microsoft Sentinel10 lectures • 52min

Using analytics rules in Microsoft Sentinel5 lectures • 52min

Dealing with incidents in Microsoft Sentinel5 lectures • 40min

Understanding hunting with Kusto Query Language (KQL)8 lectures • 1hr 16min

Threat hunting with queries and managing workbooks10 lectures • 1hr 2min

Role Plays (Optional - Not needed to complete course and get certificate)3 lectures • 7min

Conclusion3 lectures • 8min

Requirements

Description

Who this course is for: