Microsoft Sentinel โ Cloud-Native SIEM Track
Onboard, write KQL, build analytics, automate with Logic Apps, and hunt threats โ SC-200 aligned, SOC-grade.
Who Is This For
- SOC analysts moving to cloud-native SIEM
- Engineers replacing legacy SIEMs (QRadar / ArcSight / Splunk on-prem)
- SC-200 candidates
- Threat hunters & detection engineers
Prerequisites
- Basic Azure knowledge
- SOC fundamentals (events, alerts, incidents)
- SQL-style query familiarity helps but we teach KQL from scratch
Full Syllabus โ 14 Modules
M 1SIEM Concepts & Sentinel Architecture
- What a SIEM does, log lifecycle
- Sentinel โ workspace, Log Analytics
- Pricing model โ pay-as-you-ingest
- Sentinel vs Splunk vs QRadar
M 2Workspace Setup & RBAC
- Onboarding Sentinel
- Built-in roles & least privilege
- Multi-tenant / multi-workspace patterns
- Cost management & commitment tiers
M 3Data Connectors
- Microsoft connectors โ Defender, Entra, Office
- Azure Activity, Diagnostic Settings
- Linux / Windows agents (AMA)
- Syslog / CEF / custom logs / API connectors
M 4KQL โ Kusto Query Language
- Schema, tables, common operators
- where, project, summarize, join, parse
- Time series & binning
- Performance tips for huge datasets
M 5Analytics Rules
- Scheduled, NRT, Microsoft Security, Anomaly, Fusion
- Rule template usage
- Entity mapping
- Tuning & suppression
M 6Incidents & Investigation
- Incident lifecycle
- Investigation graph
- Bookmarking & comments
- Closing classifications
M 7SOAR โ Playbooks with Logic Apps
- Playbook design patterns
- Triggers โ incident vs alert vs entity
- Common automations โ disable user, block IP
- Playbook permissions
M 8Workbooks & Dashboards
- Built-in workbooks
- Custom workbook authoring
- Parameter / drill-down design
- Sharing with stakeholders
M 9Threat Intelligence
- TI connectors โ TAXII, MISP, MS TI
- Threat indicators table
- TI matching rules
- Custom TI ingestion
M 10Hunting & Notebooks
- Hunting queries โ built-in & custom
- Livestream
- Jupyter notebooks for advanced hunts
- MITRE ATT&CK mapping
M 11UEBA & Anomaly Detection
- Enabling UEBA
- Entity timelines
- Risk scoring
- Hunting on UEBA insights
M 12Defender XDR Integration
- Unified Defender + Sentinel portal
- Incident correlation
- Alerts vs incidents flow
- Best-of-both deployment patterns
M 13Real-World Use Cases
- Phishing investigation walkthrough
- Brute force / impossible travel
- Ransomware indicators
- Insider data exfiltration
M 14Cert Path & Interview Prep
- SC-200 blueprint walkthrough
- Mock exam strategy
- SOC L1 / L2 / L3 interview question bank
What You Get
40 Hours
Live + recorded for the SC-200 blueprint.
Hands-on Labs
Free-tier Sentinel โ onboard, write KQL, build Analytics rules, run playbooks.
Real Case Studies
Phishing, brute force, ransomware indicators, insider exfiltration.
Interview Q&A
SOC L1 / L2 / L3 question bank.
Certificate
Techclick Infosec course completion certificate.
WhatsApp Group
Doubt-clearing batch group with the trainer.
Your Instructor
Trained by working senior cloud and network security engineers with 13+ years of hands-on enterprise experience across SIEM, SOC operations, Microsoft Sentinel and large-scale detection engineering.
FAQ
Q 1No prior Azure experience?
Module 1โ2 brings you up to speed on workspace concepts.
Q 2KQL from scratch?
Yes. Module 4 is dedicated, with practice queries.
Q 3SC-200 covered fully?
Yes โ Module 14 walks the blueprint with mocks. We cover Defender XDR sections too.
Q 4Duration?
About 40 hours over 5โ6 weeks.
Q 5Sentinel vs Splunk?
We have a separate Splunk course โ take both for full SOC vendor coverage.
Run a cloud-native SOC.
Talk to us about the next batch.