SC-5001: Configure SIEM security operations using Microsoft Sentinel

Course Description:

Strengthen your organization’s defense posture by mastering SIEM (Security Information and Event Management) operations with Microsoft Sentinel. This instructor-led course teaches security professionals how to configure, manage, and operationalize Microsoft Sentinel to detect threats, investigate incidents, and respond effectively within a cloud-native Security Operations Center (SOC).

Designed for real-world impact, the course walks you through setting up data connectors, building custom analytics rules, automating incident response with playbooks, and using Kusto Query Language (KQL) for advanced threat hunting. Learn how to integrate Microsoft Defender XDR, Microsoft Entra ID, and third-party solutions into a centralized threat detection and response strategy.

This course is 40%–50% hands-on, with practical labs and guided configuration scenarios using Microsoft Sentinel.

Target Audience:

This course is ideal for:

• Security analysts and SOC operators responsible for threat detection and response

• Cloud security engineers managing Microsoft Sentinel environments

• IT security professionals deploying or transitioning to cloud-native SIEM solutions

• Individuals preparing for the SC-200: Microsoft Security Operations Analyst certification

Prerequisites:
Familiarity with Microsoft 365 security services, basic knowledge of Azure, and general understanding of cybersecurity concepts such as incidents, alerts, and threat indicators.

Course Outline:

Module 1: Introduction to Microsoft Sentinel and SIEM Fundamentals

• Understand the purpose of a cloud-native SIEM and the value of Microsoft Sentinel

• Explore Sentinel’s architecture, components, and integration with Microsoft Defender XDR

• Navigate the Microsoft Sentinel workspace and dashboards

Module 2: Connect and Ingest Data into Microsoft Sentinel

• Configure data connectors for Microsoft and third-party sources

• Use Log Analytics and Azure Monitor to manage collected telemetry

• Understand schema, normalization, and best practices for scalable ingestion

Module 3: Create Analytics Rules and Manage Threat Detection

• Build and manage scheduled analytics rules to identify suspicious activity

• Use Microsoft’s built-in rule templates and customize detection logic

• Implement mitre ATT&CK mappings and tune alerts for precision

Module 4: Investigate and Respond to Incidents

• Understand the incident management lifecycle in Microsoft Sentinel

• Use workbooks, entity behavior, and notebooks for deep investigation

• Correlate alerts and incidents to uncover attack paths and lateral movement

Module 5: Automate Response with Playbooks and Logic Apps

• Build automated response workflows using Azure Logic Apps

• Trigger actions based on incidents, alerts, or external inputs

• Integrate Sentinel with ticketing systems, email, and other automation tools

Module 6: Proactive Threat Hunting with KQL

• Use Kusto Query Language (KQL) to perform advanced hunting across logs

• Create custom hunting queries to identify anomalies and emerging threats

• Leverage built-in hunting queries and develop your own threat intelligence strategies

Module 7: Monitor, Tune, and Maintain Sentinel Operations

• Set up workbooks and dashboards for operational visibility

• Monitor Sentinel health and performance

• Apply best practices for rule tuning, alert management, and cost optimization

Delivery Format:

• Instructor-led training with expert guidance

• 40%–50% hands-on learning using a live Microsoft Sentinel environment

• Includes practical configuration, investigation, and automation scenarios