Microsoft Sentinel Readiness Resources
Below you will find content to assist in upskilling on Microsoft Sentinel. Content is organized by increasing levels of complexity (Fundamentals, Associate) followed by other associated critical resources.
Fundamentals
- Microsoft Sentinel Documentation - Microsoft Docs
- Microsoft Sentinel Technical Playbook for MSSPs
- Insights on how MSSPs can configure and add value to Microsoft Sentinel
- Microsoft Sentinel Pricing
- Microsoft Sentinel Wiki
- Microsoft Sentinel Skill-up Training - Microsoft Docs
- Design your Microsoft Sentinel Workspace Architecture - Microsoft Docs
Building a Demo. Instance
Use these steps to build a demo instance; free for one month
- Microsoft Sentinel Training Lab
- Initial Setup (“Dummy Data”)
- Connect Azure Active Directory (Azure AD) Data to Microsoft Sentinel - Microsoft Docs
- Possible Additional Data
- Microsoft Sentinel To-Go is an open source project developed to expedite the deployment of a Microsoft Sentinel lab along with other resources for research purposes. (i.e., more “Dummy Data”)
- Ingest Sample CEF Data into Sentinel - Microsoft Tech Community
- Sample Data CEF
- Additional Microsoft Sentinel Sample Data
- New Ingestion SampleData-as-a-Service Solution - Microsoft Tech Community
Associate
- Microsoft Sentinel Workspace Architecture Best Practices - Microsoft Docs
- Microsoft Sentinel Sample Workspace Designs - Microsoft Docs
- Microsoft 365 Defender Integration with Microsoft Sentinel - Microsoft Docs
- Find your Microsoft Sentinel Data Connector - Microsoft Docs
- Resources for Creating Microsoft Sentinel Custom Connectors - Microsoft Docs
- Become a Microsoft Sentinel Automation Ninja - Microsoft Tech Community
- Become a Microsoft Sentinel Ninja: The complete level 400 training
Azure Lighthouse
- Delegate Access using Azure Lighthouse for a Sentinel POC - My Faber Security
- Azure Lighthouse & Microsoft Sentinel: Assigning Access to Managed Identities in Customer Tenant - My Faber Security
Build a SOC & Operationalize Security Operations
- What’s New: Azure Sentinel - SOC Process Framework Workbook - Microsoft Tech Community
- SOC Process Framework Overview - YouTube
- Best Practices for Microsoft Sentinel - Microsoft Docs
- Protecting MSSP Intellectual Property in Microsoft Sentinel - Microsoft Docs
- MSSPs and Identity - Considerations for tenant architecture and delegating access to SOC analysts
Agents Resources
- Migrate to Azure Monitor Agent for better Security, Reliability and Management - Microsoft Tech Community
- Overview of the Azure Connected Machine Agent (Azure Arc) - Microsoft Docs
- Connect Hybrid Machines to Azure at Scale (Azure Arc) - Microsoft Docs
- Azure Monitor Agent Overview - Microsoft Docs
- Data Collection Rules in Azure Monitor - Microsoft Docs
- Sentinel Syslog Forwarder with AMA
- Azure Monitor Agent Migration (Remove Log Analytics Agent) Lab
KQL
- KQL for Microsoft Sentinel Lab & Queries
- MustLearnKQL Blog Series
- KQL Cheat Sheet
- Advanced KQL Framework Workbook - Microsoft Tech Community
- KQL Search
- SQL to KQL Cheat sheet
ADX
- What is a free Azure Data Explorer Cluster? - Microsoft Docs
- Free cluster, only a Microsoft Identity is required
- Azure Data Explorer in 60 minutes with Samples - Microsoft Tech Community
Notebooks
- Becoming a Microsoft Sentinel Notebooks Ninja - Microsoft Tech Community
- Azure Sentinel Notebooks Lab
- Get Started with Jupyter Notebooks & MSTICPy in Microsoft Sentinel - Microsoft Docs
- Detect Masqueraded Process Name Anomalies with ML Notebook - Microsoft Tech Community
- Hunting for Low & Slow Password Sprays Using Machine Learning - Microsoft Tech Community
- Hunting for Teams Phishing with Microsoft Sentinel, Defender, Microsoft Graph and MSTICPy - Microsoft Tech Community
Migration
- Plan Migration to Microsoft Sentinel - Microsoft Docs
- Microsoft Sentinel Migration: Select Target Azure Platform for Exported Data - Microsoft Docs
- Microsoft Sentinel Migration: Select Data Ingestion Tool - Microsoft Docs
- Unicoder Sigma Rule Converter for SIEM, EDR, & NTDR
- Microsoft Sentinel Repository
- Azure Sentinel Side-by-Side with QRadar
- Azure Sentinel Side-by-Side with Splunk
Build Solutions & Other Contributions
MDTI (Defender for Threat Intelligence) & Risk IQ Integration
- Become a Microsoft Defender Threat Intelligence Ninja - Microsoft Tech Community
- Performing a Successful Proof of Concept (PoC)
- New Threat Intelligence Features in Microsoft Sentinel - Microsoft Tech Community
- Infrastructure Chaining with Microsoft Defender Threat Intelligence - Microsoft Tech Community
- RiskIQ Illuminate Content Hub Solution within Microsoft Sentinel – My Faber Security
SOAR
- Microsoft Sentinel Automation Tips & Tricks - Microsoft Tech Community
- Safely Integrate Playbooks with Custom APIs with no Pre-built Logic App Connector - My Faber Security
Repositories
- Enable Continuous Deployment Natively with Microsoft Sentinel Repositories - Microsoft Tech Community
- Microsoft Sentinel As-A-Code Lab
- Sample Content Repository
- Customize Repository Deployments - Microsoft Docs
Fusion
- Behind the Scenes: The ML Approach for Detecting Advanced Multistage Attacks with Sentinel Fusion - Microsoft Tech Community
- Advanced Multistage Attack Detection in Microsoft Sentinel - Microsoft Docs
UEBA
- Discover the Power of UEBA Anomalies in Microsoft Sentinel - Microsoft Tech Community
- Microsoft Sentinel Customizable Ml Based Anomalies now Generally Available - Microsoft Tech Community
Storage options
Costs
- Refer to Microsoft Sentinel Pricing
- Microsoft Sentinel Cost Calculator
- Azure Data Explorer (Kusto) Cost Estimator
Data at No-Cost
Microsoft Sentinel and Log Analytics offer ingestion & 90-day retention of some data at no cost, including:
- Azure Activity Logs
- Office 365 Audit Logs (e.g., SharePoint activity, Exchange activity, Teams)
- Alerts from Microsoft Defender products
- Azure Information Protection Alerts
- Microsoft Defender for IoT Alerts
Reference Plan Costs and Microsoft Sentinel Pricing and Billing - Microsoft Docs for further information.
Other Ways to Save
- Microsoft Sentinel Benefit for Microsoft 365 E5, A5, F5, and G5 Customers
- Locate Microsoft Sentinel Free Benefit in Cost Management & Billing
- Commitment Tiers; save up to 65% compared to pay-as-you-go.