Beginner guide to cloud-native SIEM and SOAR
Swipe up to begin ↑
Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR solution that provides intelligent security analytics and threat intelligence across your enterprise.
Which capability is a core Sentinel feature?
Sentinel excels at ingesting and analyzing security data with built-in ML analytics for threat detection.
Interactive drag-and-drop workspace: start with an empty Sentinel workspace and add components (Data Connectors, Analytics Rules, Workbooks, Automation Rules). Each placement shows how the component integrates with Azure Monitor, Defender, and other Microsoft services. Goal: create a minimal working architecture and view the resulting data flow summary.
Sentinel licensing is primarily based on:
Pricing is consumption-based, driven by the volume of data ingested into the workspace.
A Log Analytics workspace is the data store required by Microsoft Sentinel. Sentinel is enabled on an existing workspace, turning it into a security analytics platform.
Which item is required before enabling Sentinel on a workspace?
An active Azure subscription is mandatory to create the resource group and workspace.
Interactive simulator: Select region, pricing tier, and resource group. Click Deploy to see validation results and the exact ARM template snippet generated. Then toggle three common data connectors (Azure Activity, Office 365, Azure AD) and observe which ones succeed or require additional permissions.
After Sentinel is enabled, data connectors bring in telemetry. Common beginner connectors include Azure Activity, Office 365, and Azure Active Directory.
Validation steps: check data ingestion in Logs, confirm connector status shows Connected, and run a sample query.
After enabling the Azure Activity connector, what confirms successful data flow?
Successful ingestion is verified by seeing the Connected status and querying the AzureActivity table.
Kusto Query Language (KQL) lets you search and analyze logs in Microsoft Sentinel tables such as SecurityEvent and SigninLogs.
| where to filter rows| summarize to aggregate countsWhich KQL operator filters rows where EventID equals 4624?
The | where operator filters rows matching the condition.
Interactive query editor: learner types simple KQL against sample SecurityEvent and SigninLogs tables, runs the query, and views simulated tabular results plus row count. Supports basic | where and | summarize clauses with one-click example buttons.
An analytics rule runs a KQL query on a schedule and creates incidents when results appear. Tune by adjusting query logic, setting thresholds, and mapping entities such as Account or IP.
Open the Incidents page in the Microsoft Sentinel portal. Each incident groups related alerts and entities.
You open a new incident showing a single low-severity alert from a trusted source. What is the best first action?
Low-severity alerts from trusted sources are typically closed as benign after quick review.
Interactive widget: User sees a list of sample alert types (e.g., 'Suspicious Sign-in', 'Malware Detected'). Drag each alert to one of three playbook columns: 'Notify SOC', 'Block IP', or 'Create Ticket'. The simulator shows a live JSON representation of the resulting automation rule and a success/failure indicator based on logical rules (e.g., high-severity alerts must include a ticket).