Master Microsoft Sentinel for Security Operations

Microsoft Sentinel is the SIEM and SOAR platform at the center of Microsoft’s security operations story. This course takes you from workspace deployment to advanced threat hunting in 11 hours. You will configure data connectors, build analytics rules, design workbooks, create automation playbooks, and write KQL queries that find threats your built-in rules miss.

The course is structured around real SOC workflows. You start by deploying the workspace and connecting data sources — Azure Activity, Microsoft Entra ID, Microsoft 365, Defender XDR, and third-party connectors via CEF and Syslog. Then you build detection content: scheduled analytics rules with custom KQL, near-real-time rules for high-priority alerts, and fusion rules that correlate across data sources. Each rule includes entity mapping so your incidents have actionable context.

Automation separates a functional Sentinel deployment from a good one. You will build Logic App playbooks that enrich incidents with threat intelligence, notify the right teams, and execute containment actions. The final section covers threat hunting — writing hypotheses, building hunting queries, and using bookmarks to track findings across investigation sessions.

Curriculum

Workspace Deployment and Data Connectors

• Sentinel workspace architecture and Log Analytics
• Built-in data connectors for Microsoft services
• CEF, Syslog, and custom log ingestion
• Data collection rules and transformation

Analytics Rules and Detection

• Scheduled analytics rules with custom KQL
• Near-real-time and Microsoft security rules
• Fusion detection for multi-stage attacks
• Entity mapping and alert grouping

Workbooks and Visualization

• Built-in workbook templates
• Custom workbook design with KQL
• SOC dashboards and operational metrics
• Monitoring data ingestion and costs

Automation and Threat Hunting

• Logic App playbooks for incident response
• Automation rules and playbook triggers
• Threat hunting queries and bookmarks
• Threat intelligence integration and indicators

Who Is This For

This course is for security analysts, SOC engineers, and security architects who are deploying or managing Microsoft Sentinel. Whether you are building a new Sentinel deployment from scratch or optimizing an existing one, this course gives you the practical knowledge to configure detection, automation, and hunting workflows. Familiarity with KQL basics is helpful but not required — the course builds that skill as you go.