Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Cloud Security & MonitoringAzure Security

Microsoft Sentinel

45 min
lab
+80 XP

Learning Objectives

  • Monitor Azure environments using Defender for Cloud
  • Investigate security events using Azure Sentinel
  • Respond to threats in Azure workloads

Azure Security Monitoring and Response

Azure provides integrated security monitoring through Defender for Cloud and Sentinel. These services enable detection, investigation, and response for Azure workloads.

Microsoft Defender for Cloud

Defender for Cloud provides security posture management and workload protection:

Secure Score measures security posture. Recommendations improve score and reduce risk. Prioritize based on potential impact.

Workload protections add detection for specific resource types:

  • Defender for Servers (endpoint protection)

  • Defender for App Service

  • Defender for Storage

  • Defender for SQL

  • Defender for Kubernetes

  • Defender for Key Vault


Enable protections for workload types you use. Each provides specialized detection.

Regulatory compliance tracks configuration against standards like CIS, NIST, PCI-DSS.

Microsoft Sentinel

Sentinel provides cloud-native SIEM and SOAR capabilities:

Data connectors ingest logs from Azure services, Microsoft 365, and third-party sources.

Analytics rules detect threats. Built-in rules cover common patterns; custom rules address specific needs.

Workbooks visualize security data through dashboards.

Incidents group related alerts for investigation. Case management tracks response progress.

Playbooks automate response using Logic Apps. Trigger enrichment, containment, or notification actions automatically.

Hunting enables proactive threat search with KQL queries. Saved queries and notebooks organize hunting activities.

Investigation Workflow

When Sentinel creates an incident:

  • 1.Review incident details - What triggered it? What entities are involved?

  • 2.Investigate entities - View timeline, related alerts, and behaviors for users/hosts

  • 3.Expand investigation - Use investigation graph to explore relationships

  • 4.Determine verdict - True positive, false positive, or needs escalation

  • 5.Take action - Run playbooks, update rules, or escalate to incident response

    • Integration

    Sentinel integrates with:

    • Defender for Cloud for workload alerts

    • Microsoft 365 Defender for endpoint and identity protection

    • Third-party tools through data connectors

    • External ticketing and communication systems through playbooks

    Answer the Questions0 / 4 completed

    📚 KnowledgeQuestion 1

    What is Microsoft Sentinel?

    Format: ************(12 chars)
    Exact match required
    ⌨️ Hands-OnQuestion 2

    What is the Azure SIEM tool?

    Format: ********(8 chars)
    Exact match required
    📚 KnowledgeQuestion 3

    What are Sentinel analytics rules?

    Format: *********(9 chars)
    Exact match required
    ⌨️ Hands-OnQuestion 4

    What language does Sentinel use?

    Format: ***(3 chars)
    Exact match required
    Answer all questions correctly to unlock the next lesson

    Interactive Sandbox

    Loading sandbox...

    Submit Flag

    Found the flag? Submit it below to complete this lesson.
    Format: LOOPUS{...}

    Previous
    Answer all questions to continue