Microsoft Sentinel: Zero to Hero – Complete SIEM Training

Learn to create an Azure free account through a step-by-step walkthrough, including email verification, solving a verification puzzle, and enabling a free trial in the Azure portal.

Learn to create an Azure resource group by searching, selecting a subscription, choosing a region, and creating it to support the Sentinel training and host virtual machines.

Explore how the log analytics workspace serves as the central data repository for Microsoft Sentinel, ingesting data via connectors and enabling Kusto query language analysis, dashboards, alerts, and automation.

Create a log analytics workspace in Azure within the Sentinel Training resource group on the free trial, then validate and deploy it as a prerequisite for Microsoft Sentinel.

Create a Microsoft Sentinel workspace in Azure by selecting an existing Log Analytics workspace, and learn the 31-day free trial with 10 GB daily data ingestion.

Explore how Content Hub unifies data connectors and solutions in Microsoft Sentinel, learn to integrate logs like AWS and Azure AD, and access analytics rules, hunting queries, and workbooks.

Learn how to integrate threat intelligence into microsoft sentinel using a data connector to import external threat indicators, configure the api details, and review the logs.

Ingest Windows security events from an Azure virtual machine into Microsoft Sentinel by installing the Azure Monitor Agent, creating a data collection rule, and validating logs in the content hub.

Verify Windows security event logs stream into Microsoft Sentinel by checking the log viewer, identifying event IDs and processes, and using the content hub connector or Azure Monitor agent.

Pull logs from Windows, Linux, firewalls, cloud, and third-party sources into the Log Analytics workspace, then use analytics rules with the Kusto Query Language to detect threats and generate alerts.

Explore types of Microsoft Sentinel analytics rules, including scheduled rules—the most popular for automating log analysis and alerts on suspicious patterns, plus near real-time, anomaly, and fusion-based rules.

Understand how scheduled analytics rules run automatically at fixed intervals, look back periods, and trigger alerts using kql, thresholds, and examples like logins from two countries within ten minutes.

Create a scheduled query rule in Microsoft Sentinel to detect brute force attacks from Windows security events. Link to Mitre credential access tactics and test incidents.

Explore near real time (NRT) rules in Microsoft Sentinel that analyze logs every minute for near instant detection, triggering immediate alerts for high-priority events like audit log clears (Event 1102).

Learn to create an nrt rule in sentinel to detect audit log clearance on a critical server, map to a mitre framework tactic, and generate real-time alerts.

Discover the fusion rule in Microsoft Sentinel, an AI powered detective that correlates alerts from Defender for Cloud Apps, Defender for Identity, and Defender for Endpoint to reveal multi-stage attacks.

Learn how to enable and configure a fusion rule in Microsoft Sentinel, a predefined correlation engine that detects advanced multi-stage attacks by correlating anomalous behavior and suspicious activities.

ML behavior analytics in Microsoft Sentinel moves beyond static rules by establishing baselines of user and entity behavior, detecting anomalies, and triggering risk-weighted alerts in real time.

Explore the incident investigation page in Microsoft Sentinel, learn to view full details, adjust severity and status, assign owners, and use logs, tasks, and timeline for in-depth security incident analysis.

Drive proactive threat hunting to uncover unknown threats, reduce dwell time, and strengthen SOC, SIEM, EDR, firewall, and email security.

Hunt for impossible travel activity by analyzing log data for rapid cross-country logins, identify anomalies, compromised accounts, or VPN use in Microsoft Sentinel.

Install and enable the Microsoft Entra ID data connector in Sentinel to stream sign-in, audit, and user risk logs, then forward them to the Log Analytics workspace.

Simulate impossible travel activity in Microsoft Sentinel using KQL to hunt sign-in anomalies across countries and analyze login times, IP addresses, and locations.

Provide evidence-based knowledge about threats, including who might attack, why, and how. Identify attacker groups, tactics, and defense actions to guide security work.

Explore a real life threat intel example that links threat intelligence databases with SIEM logs to identify known threat actors, their IP addresses, and their TTPs for ECS ransomware.

Define the direction phase of threat intelligence for a health sector hospital, set objectives to collect IOCs for ransomware and phishing domains, and monitor PHI protection and HIPAA compliance.

Collects raw threat data from open source threat intelligence, commercial feeds, private sharing groups, and internal logs. Captures IOCs, TTPs, and government alerts to guide the collection phase.

Transform raw data into structured formats like CSV or JSON, remove duplicates and noise with Python and PowerShell, tag IOCs to malware families, and prepare data for analysis.

Correlate processed CSV data IOCs in the analysis phase with SIEM and EDR logs to hunt ransomware, run threat intel queries, trigger alerts, and block identified IOCs.

Disseminate and share finished threat intelligence to the right stakeholders, feeding IOCs to tools like SIEM and EDR, and deliver daily threat summaries and weekly executive reports with actionable playbooks.

Learn to manually add indicators of compromise in Microsoft Sentinel using the threat intel blade, IPv4 indicators, and MITRE kill chain mapping to command and control.

Import Microsoft Defender Threat Intelligence data into Microsoft Sentinel using the Defender Threat Intelligence connector, then use IOCs like IP addresses and hashes for log analysis, monitoring, and hunting.

explore how playbooks and logic apps automate security operations, triaging alerts, blocking malicious ips, and quarantining endpoints to speed decisions and reduce false positives.

Understand how Microsoft Sentinel uses playbooks, built on Logic Apps, to automate response workflows that trigger email alerts, ticket creation, IP reputation checks, and automatic blocking of threats.

Apply automation rules in Microsoft Sentinel to auto assign, update status, adjust severity, and guide investigators for brute force alerts with predefined investigation steps and tags.

Create your first Microsoft Sentinel playbook that automatically sends an Outlook email when a security incident triggers, using automation, logic app designer, identity setup, and contributor role for access.

Build a geo-tagging playbook in Microsoft Sentinel using Azure Logic Apps to fetch country and city from an IP and tag incidents, with proper playbook permissions and managed identity.

Learn how to use workbooks in Microsoft Sentinel to visualize data with interactive dashboards, monitor real-time alerts and login attempts, analyze locations via geo maps, and no coding is required.

Explore the building blocks of a Sentinel workbook: data sources from log analytics tables via KQL queries, visual elements like time charts and pie charts, and interactive parameters and filters.

Build your first customized workbook in Microsoft Sentinel to visualize the most frequently triggered security alerts from the past 30 days, using KQL queries and charts.

Create a daily alert trend timeline in Microsoft Sentinel by building a time-based visualization that counts security alerts per day, enabling SOC analysts to spot spikes and investigate reasons.

Create a 30-day azure workbooks dashboard that visualizes brute-force attempts by grouping failed logins by account and showing the top ten accounts in a bar chart.