Introduction

Completed

Use Microsoft Sentinel to hunt for security threats across on-premises and cloud environments by using interactive queries and other tools.

This module imagines a midsize financial services company called Contoso, Ltd., based in London with a New York branch office. Contoso uses Microsoft 365, Microsoft Entra ID, Microsoft Entra ID Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Endpoint Protection, and Azure Information Protection.

As part of the Security Operations Center team, you've been tasked with using Microsoft Sentinel to identify security threats within Contoso's Azure environment.

By the end of this module, you'll be able to hunt for threats by using the tools available in Microsoft Sentinel. Specifically, you'll be able to proactively identify threat behaviors by using Microsoft Sentinel queries. You'll also be able to use bookmarks and livestream to identify specific account usage patterns for Contoso's Azure environment.

Learning objectives

After completing this module, you'll be able to:

  • Use queries to hunt for threats.
  • Save key findings with bookmarks.
  • Observe threats over time with livestream.

Prerequisites

To get the best learning experience from this module, you should have the following:

  • Familiarity with security operations in an organization.
  • Basic experience with configuring Azure services, specifically Azure Policy.
  • Basic knowledge of operational concepts such as monitoring, logging, and alerting.
  • Basic Microsoft Sentinel functionality.
  • Access to a Microsoft Azure subscription for exercise tasks.

Note

If you perform the exercises in this module, you might incur costs in your Azure subscription. To estimate the costs, see Microsoft Sentinel pricing.