Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution provided by Microsoft, designed to detect, investigate, and respond to cybersecurity threats across the entire enterprise. This is a list of awesome free resources related to Microsoft Azure Sentinel.
-
Microsoft Sentinel skill-up training - Official Microsoft Learn documentation covering the full range of Sentinel features and capabilities, based on the Microsoft Sentinel Ninja Training.
-
Must Learn KQL - Rod Trent's Must Learn KQL series is a comprehensive and essential resource that educates users on the fundamentals of Kusto Query Language (KQL) for effective data querying and analysis in Azure Sentinel and Azure Monitor.
-
Addicted to KQL - A follow-on to Must Learn KQL covering advanced KQL topics.
-
Microsoft Sentinel Notebook Ninja - Learning series on using Sentinel Notebooks.
-
KQL Cheat by Fourtytwo - Interactive, searchable KQL cheat sheet
-
Rod Trent's Substack - Blog posts written by Rod Trent filtered to Microsoft Sentinel.
-
Microsoft Sentinel This Week Newsletter - Weekly newsletter with Sentinel updates written by Rod Trent.
-
Microsoft Security Insights YouTube Channel - Weekly video podcast covering the latest in Microsoft security.
-
rod-trent/SentinelKQL - A collection of KQL queries.
-
rod-trent/OpenAISecurity - Queries related to OpenAI/ChatGPT.
-
Bert-JanP/Hunting-Queries-Detection-Rules - KQL queries covering detections across all Microsoft Defender security products.
-
reprise99/kql-for-dfir - Collection of KQL queries related to digital forensics and response
-
reprise99/Sentinel-Queries - Various KQL queries for any task
-
cyb3rmik3/KQL-threat-hunting-queries - Threat hunting, detection, and SecOps queries
-
LearningKijo/KQL - Queries for Email, Endpoint, Entra ID (AAD), and Threat Hunting
- rod-trent/SentinelWorkbooks - A collection of Sentinel workbooks.
- rod-trent/SentinelPlaybooks - A collection of Sentinel playbooks.
- Microsoft First Party App Names - A JSON/CSV collection of mappings of AppId and AppOwnerOrganizationId to a human-readable AppDisplayName for use in KQL.
-
AZSentinel - Powershell module for interacting with Sentinel.
-
Sentinel All-In-One - A one-click deployment of Sentinel.