Getting Started with Microsoft Sentinel

Beginner guide to cloud-native SIEM and SOAR

beginner40 min20 cards
  • Explain Sentinel's role in security operations
  • Deploy a workspace and connect data sources
  • Build simple KQL queries and analytics rules
  • Investigate incidents and apply basic automation

Swipe up to begin ↑

ConceptIntroduction to Microsoft Sentinel

What is Microsoft Sentinel?

Cloud-Native SIEM

Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR solution that provides intelligent security analytics and threat intelligence across your enterprise.

Core Value in SOC Workflows

  • Centralizes data collection and detection
  • Accelerates investigation and response
  • Reduces alert fatigue with AI-driven correlation
CheckIntroduction to Microsoft Sentinel

Key Capabilities Check

Which capability is a core Sentinel feature?

Try itIntroduction to Microsoft Sentinel

Architecture Builder

Interactive drag-and-drop workspace: start with an empty Sentinel workspace and add components (Data Connectors, Analytics Rules, Workbooks, Automation Rules). Each placement shows how the component integrates with Azure Monitor, Defender, and other Microsoft services. Goal: create a minimal working architecture and view the resulting data flow summary.

RecallIntroduction to Microsoft Sentinel
Name two Microsoft security services that integrate natively with Sentinel.
CheckIntroduction to Microsoft Sentinel

Licensing & Integration Check

Sentinel licensing is primarily based on:

ConceptDeploying a Sentinel Workspace

Log Analytics Workspace for Sentinel

Workspace Foundation

A Log Analytics workspace is the data store required by Microsoft Sentinel. Sentinel is enabled on an existing workspace, turning it into a security analytics platform.

  • One workspace per Sentinel instance
  • Supports multiple data sources via connectors
  • Must reside in a supported Azure region
CheckDeploying a Sentinel Workspace

Workspace Prerequisites

Which item is required before enabling Sentinel on a workspace?

Try itDeploying a Sentinel Workspace

Workspace Deployment Simulator

Interactive simulator: Select region, pricing tier, and resource group. Click Deploy to see validation results and the exact ARM template snippet generated. Then toggle three common data connectors (Azure Activity, Office 365, Azure AD) and observe which ones succeed or require additional permissions.

ConceptDeploying a Sentinel Workspace

Data Connectors Overview

Connecting Data Sources

After Sentinel is enabled, data connectors bring in telemetry. Common beginner connectors include Azure Activity, Office 365, and Azure Active Directory.

Validation steps: check data ingestion in Logs, confirm connector status shows Connected, and run a sample query.

CheckDeploying a Sentinel Workspace

Connector Validation

After enabling the Azure Activity connector, what confirms successful data flow?

RecallDeploying a Sentinel Workspace
List the two main tasks in this module
ConceptData Analysis and Threat Detection

KQL Basics in Sentinel

Exploring Security Data with KQL

Kusto Query Language (KQL) lets you search and analyze logs in Microsoft Sentinel tables such as SecurityEvent and SigninLogs.

  • Use | where to filter rows
  • Use | summarize to aggregate counts
  • Start queries with the table name
CheckData Analysis and Threat Detection

KQL Filter Check

Which KQL operator filters rows where EventID equals 4624?

Try itData Analysis and Threat Detection

Build a KQL Query

Interactive query editor: learner types simple KQL against sample SecurityEvent and SigninLogs tables, runs the query, and views simulated tabular results plus row count. Supports basic | where and | summarize clauses with one-click example buttons.

ConceptData Analysis and Threat Detection

Analytics Rules

Creating Basic Analytics Rules

An analytics rule runs a KQL query on a schedule and creates incidents when results appear. Tune by adjusting query logic, setting thresholds, and mapping entities such as Account or IP.

RecallData Analysis and Threat Detection
What does tuning an analytics rule involve?
ConceptIncident Management Basics

Investigating Incidents

Investigating Incidents in Sentinel

Open the Incidents page in the Microsoft Sentinel portal. Each incident groups related alerts and entities.

  • Click an incident to view its timeline, alerts, and entities.
  • Use the Investigate button to launch the investigation graph.
  • Review entity details and related alerts to understand scope.
CheckIncident Management Basics

Triage Check

You open a new incident showing a single low-severity alert from a trusted source. What is the best first action?

Try itIncident Management Basics

Playbook Simulator

Interactive widget: User sees a list of sample alert types (e.g., 'Suspicious Sign-in', 'Malware Detected'). Drag each alert to one of three playbook columns: 'Notify SOC', 'Block IP', or 'Create Ticket'. The simulator shows a live JSON representation of the resulting automation rule and a success/failure indicator based on logical rules (e.g., high-severity alerts must include a ticket).

RecallIncident Management Basics
What is the purpose of a basic playbook in Sentinel?