Implement activity and event collection in Microsoft Sentinel
At a glance
-
Level
-
Skill
-
Role
-
Subject
Build a complete event collection and response architecture in Microsoft Sentinel. In this learning path, you set up and secure a Microsoft Sentinel workspace, deploy Content Hub solutions, and connect Azure resource data. Then you collect Linux and Windows security events with data collection rules, and implement automated response workflows with Logic Apps playbooks. The final stage is to manage data retention and audit log access to meet compliance requirements.
Prerequisites
- Working knowledge of Azure resource deployment and Azure role-based access control (RBAC)
- Familiarity with Log Analytics workspaces and basic Kusto Query Language (KQL) queries
- Understanding of Windows Server administration and Windows event logs
- Familiarity with networking fundamentals including TCP/UDP and the syslog protocol
- Foundational understanding of security operations concepts including Security Information and Event Management (SIEM), incidents, and alerting
Achievement Code
Would you like to request an achievement code?
Modules in this learning path
Learn about the architecture of Microsoft Sentinel workspaces to ensure you configure your system to meet your organization's security operations requirements.
By the end of this module, you're able to manage content in Microsoft Sentinel.
Learn how to connect Microsoft 365 and Azure service logs to Microsoft Sentinel.
Learn about the Azure Monitor Agent Linux Syslog Data Collection Rule configuration options, which enable you to parse Syslog data.
Most vendor-provided connectors utilize the CEF connector. Learn about the Common Event Format (CEF) connector's configuration options.
Two of the most common logs to collect are Windows security events and Sysmon. Learn how Microsoft Sentinel makes this easy with the Microsoft Windows Events data connectors.
Automate incident management in Microsoft Sentinel using automation rules and Logic Apps playbooks. Create automation rules to triage and route incidents, activate a prebuilt response playbook from Content Hub, and author a custom playbook. The process implements an automated notification and response workflow.
Manage data storage in Microsoft Sentinel by creating custom log tables, configuring retention tiers and archive policies, and integrating Microsoft Purview Audit. Create tables for nonstandard data sources, apply Analytics and Archive retention tiers to meet compliance requirements, and query Purview Audit logs in the Microsoft Defender XDR portal.