Skip to content
Microsoft Sentinel
Intermediate

Master Microsoft Sentinel for Security Operations

Deploy and configure Microsoft Sentinel — analytics rules, playbooks, workbooks, and threat hunting.

Start Learning Hands-on labs and real-world scenarios
About

About This Course

Microsoft Sentinel is the SIEM and SOAR platform at the center of Microsoft's security operations story. This course takes you from workspace deployment to advanced threat hunting in 11 hours. You will configure data connectors, build analytics rules, design workbooks, create automation playbooks, and write KQL queries that find threats your built-in rules miss.

The course is structured around real SOC workflows. You start by deploying the workspace and connecting data sources — Azure Activity, Microsoft Entra ID, Microsoft 365, Defender XDR, and third-party connectors via CEF and Syslog. Then you build detection content: scheduled analytics rules with custom KQL, near-real-time rules for high-priority alerts, and fusion rules that correlate across data sources. Each rule includes entity mapping so your incidents have actionable context.

Automation separates a functional Sentinel deployment from a good one. You will build Logic App playbooks that enrich incidents with threat intelligence, notify the right teams, and execute containment actions. The final section covers threat hunting — writing hypotheses, building hunting queries, and using bookmarks to track findings across investigation sessions.

Outcomes

What You'll Learn

01

Deploy a Sentinel workspace and configure data connectors for Azure, Microsoft 365, and third-party sources

02

Build analytics rules that detect real threats — scheduled, NRT, and fusion rules

03

Create SOAR playbooks with Logic Apps for automated incident response

04

Hunt for threats using KQL across Sentinel logs and threat intelligence

Before You Start

Prerequisites

  • Familiarity with KQL basics is helpful but not required — the course builds that skill as you go
  • An Azure subscription for hands-on labs — a free trial works
Audience

Who Is This Course For

This course is for security analysts, SOC engineers, and security architects who are deploying or managing Microsoft Sentinel. Whether you are building a new Sentinel deployment from scratch or optimizing an existing one, this course gives you the practical knowledge to configure detection, automation, and hunting workflows. Familiarity with KQL basics is helpful but not required — the course builds that skill as you go.

Curriculum

What's Inside

01

Workspace Deployment and Data Connectors

  • Sentinel workspace architecture and Log Analytics
  • Built-in data connectors for Microsoft services
  • CEF, Syslog, and custom log ingestion
  • Data collection rules and transformation
02

Analytics Rules and Detection

  • Scheduled analytics rules with custom KQL
  • Near-real-time and Microsoft security rules
  • Fusion detection for multi-stage attacks
  • Entity mapping and alert grouping
03

Workbooks and Visualization

  • Built-in workbook templates
  • Custom workbook design with KQL
  • SOC dashboards and operational metrics
  • Monitoring data ingestion and costs
04

Automation and Threat Hunting

  • Logic App playbooks for incident response
  • Automation rules and playbook triggers
  • Threat hunting queries and bookmarks
  • Threat intelligence integration and indicators