Implement activity and event collection in Microsoft Sentinel

Microsoft via Microsoft Learn

Go to class Write review

Details

Go to class

Provider

Microsoft Learn
Pricing

Free Online Course
Languages

English
Effort

4 hours
Sessions

Self-Paced
Level

Intermediate

Found in

Create and manage Microsoft Sentinel workspaces
Upon completion of this module, the learner will be able to:
- Describe Microsoft Sentinel workspace architecture
- Onboard a Microsoft Sentinel workspace to Microsoft Defender
- Manage a Microsoft Sentinel workspace in Microsoft Defender
Manage content in Microsoft Sentinel
After completing this module, you'll be able to:
- Install a content hub solution in Microsoft Sentinel
- Connect a GitHub repository to Microsoft Sentinel
Connect Microsoft services to Microsoft Sentinel
Upon completion of this module, the learner is able to:
- Connect Microsoft service connectors
- Explain how connectors autocreate incidents in Microsoft Sentinel
Connect syslog data sources to Microsoft Sentinel
Upon completion of this module, the learner is able to:
- Describe the Azure Monitor Agent Data Collection Rule (DCR) for Syslog
- Install and Configure the Azure Monitor Linux Agent extension with the Syslog DCR
- Run the Azure Arc Linux deployment and connection scripts
- Verify Syslog log data is available in Microsoft Sentinel
- Create a parser using KQL in Microsoft Sentinel
Connect Common Event Format logs to Microsoft Sentinel
Upon completion of this module, the learner is able to:
- Explain the Common Event Format connector deployment options in Microsoft Sentinel
- Run the deployment script for the Common Event Format connector
Connect Windows hosts to Microsoft Sentinel
Upon completion of this module, the learner is able to:
- Connect Azure Windows Virtual Machines to Microsoft Sentinel
- Connect non-Azure Windows hosts to Microsoft Sentinel
- Install and configure a data connector to collect Sysmon events
Automate incident management in Microsoft Sentinel using automation rules and Logic Apps playbooks. Create automation rules to triage and route incidents, activate a prebuilt playbook from Content Hub, and author a custom Logic Apps playbook. The process implements an automated notification and response workflow.
After completing this module, you'll be able to:
- Explain the difference between automation rules and playbooks in Microsoft Sentinel
- Create automation rules to automate incident management tasks
- Configure and activate a prebuilt playbook from the Microsoft Sentinel Content Hub
- Author a custom Logic Apps playbook and connect it to an automation rule
Manage data storage in Microsoft Sentinel by creating custom log tables, configuring retention tiers and archive policies for compliance. Then, connect Microsoft Purview Audit as a data source, and query audit logs in the Microsoft Defender XDR portal for compliance investigations.
After completing this module, you'll be able to:
- Create custom log tables in a Microsoft Sentinel workspace to store nonstandard ingested data
- Configure data retention tiers and archive policies for Microsoft Sentinel tables
- Connect Microsoft Purview Audit as a data source in Microsoft Sentinel
- Query Purview Audit logs in the Microsoft Defender XDR portal

Syllabus

Create and manage Microsoft Sentinel workspaces
- Introduction
- Plan for the Microsoft Sentinel workspace
- Create a Microsoft Sentinel workspace
- Manage workspaces across tenants using Azure Lighthouse
- Understand Microsoft Sentinel permissions and roles
- Manage Microsoft Sentinel settings
- Configure logs
- Module assessment
- Summary and resources
Manage content in Microsoft Sentinel
- Introduction
- Use solutions from the content hub
- Use repositories for deployment
- Module assessment
- Summary and resources
Connect Microsoft services to Microsoft Sentinel
- Introduction
- Plan for Microsoft services connectors
- Connect the Microsoft 365 connector
- Connect the Microsoft Entra connector
- Connect the Microsoft Entra ID Protection connector
- Connect the Azure Activity connector
- Module assessment
- Summary and resources
Connect syslog data sources to Microsoft Sentinel
- Introduction
- Plan for syslog data collection
- Collect data from Linux-based sources using syslog
- Configure the Data Collection Rule for Syslog Data Sources
- Parse syslog data with KQL
- Module assessment
- Summary and resources
Connect Common Event Format logs to Microsoft Sentinel
- Introduction
- Plan for Common Event Format connector
- Connect your external solution using the Common Event Format connector
- Module assessment
- Summary and resources
Connect Windows hosts to Microsoft Sentinel
- Introduction
- Plan for Windows hosts security events connector
- Connect using the Windows Security Events via AMA Connector
- Connect using the Security Events via Legacy Agent Connector
- Collect Sysmon event logs
- Module assessment
- Summary and resources
Implement automation rules and playbooks in Microsoft Sentinel
- Introduction
- Understand Microsoft Sentinel automation options
- Create automation rules in Microsoft Sentinel
- Configure and activate a Content Hub playbook
- Author a custom playbook with Azure Logic Apps
- Knowledge check
- Summary
Manage data storage and query audit logs in Microsoft Sentinel
- Introduction
- Create custom log tables in Microsoft Sentinel
- Implement data retention in Microsoft Sentinel
- Connect Microsoft Purview Audit to Microsoft Sentinel
- Query Purview Audit logs in Microsoft Defender XDR
- Knowledge check
- Summary