Microsoft Sentinel SC-5001 Training Course: SIEM and Advanced Security Operations

Reference: sm/SC-5001

550 € excl. VAT

1 day

6 h

25 Jan. 2027

Remote

15 Feb. 2027

Remote

15 Mar. 2027

Remote

19 Apr. 2027

Remote

10 May 2027

Remote

Description of the SC-5001 Training Course

This Microsoft Sentinel – SIEM and Advanced Security Operations training course teaches you to configure, operate and monitor a modern SIEM/SOAR security platform in Azure. You will learn to collect, analyse and correlate security events from a variety of sources, write KQL queries to extract insights, and build effective detection rules. The course also covers the creation of custom dashboards, automation through Azure Logic Apps playbooks, and the workflows of an operational SOC. Hands-on labs based on real-world scenarios will enable you to identify and respond to cybersecurity threats. By the end, you will be able to run advanced security operations with Microsoft Sentinel.

Format and Teaching Methods

Remote (recorded sessions). This course can also be delivered on your premises. Content can be customised to your professional project’s needs. The programme alternates theory with extensive hands-on practice (around 60%) using concrete business use cases.

Good to Know Before Registering

Our sessions are guaranteed from just 1 registrant, with no risk of postponement (except in cases of force majeure). A preliminary interview is held with the participant and/or a company representative to identify the participant’s profile: level, needs, context and challenges. Assessment: the trainer monitors progress through multiple-choice questions, role-play and hands-on work. Participants receive a certificate of validated skills at the end of the training.

Learning Objectives of the SC-5001 Training Course

By the end of the training, participants will be able to:

Understand the fundamentals of SIEM/SOAR cybersecurity in a cloud environment.
Master the configuration, administration and monitoring of Azure Sentinel for threat detection and incident response.
Collect, normalise and analyse security data from a variety of sources (logs, events, cloud/on-premises solutions).
Implement detection rules, behavioural analytics and automation playbooks for incident response.
Develop actionable dashboards and reports for operational threat intelligence.
Apply best practices to operate a modern SIEM/SOAR Security Operations Centre (SOC).

Prerequisites for the SC-5001 Training Course

Basic knowledge of cybersecurity, networks and threat models.
Notions of logs, system events and KQL syntax (an introduction is a plus).
Familiarity with Microsoft Azure (portal, resources, RBAC).

Because each participant is unique, a personalised interview is held in advance with our expert to design a course perfectly aligned with their objectives, level and professional challenges.

Target Audience

Security engineers, SOC analysts and SIEM managers.
Cloud administrators and DevOps involved in security monitoring.
Security architects or cybersecurity consultants who want to master Microsoft Sentinel for advanced security operations.

Funding for this Training Course

This course is funded directly by the company (no CPF, no OPCO). See our funding terms.

Detailed Programme (modules and labs)

Introduction to SIEM and SOAR

Key concepts of SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response).
Overview of Azure Sentinel capabilities.

Architecture and data collection

Sentinel architecture, Log Analytics workspaces.
Data connectors: Azure, Windows, Linux, firewalls, Microsoft 365 and third-party sources.
Log and format normalisation.

Kusto Query Language (KQL)

KQL fundamentals.
Search queries, aggregations and trend visualisation.
Query optimisation for performance.

Analytics rules and intelligent detections

Creating analytics rules based on conditions, trends and behaviours.
Using Machine Learning & predefined templates.
Testing false positives / negatives.

Incidents and investigations

Designing investigations: trigrams, indicators and pivoting.
Exploring entities and correlations between alerts.
Tracing attacks using investigation graphs.

Playbooks and automation

Introduction to Azure Logic Apps playbooks for automated response.
Example playbooks for quarantine, IP blocking and notifications.
Integration with Teams, email and ticketing.

Dashboards and reporting

Creating custom dashboards.
Publishing reports for compliance and management.
Real-time dashboards.

Practical scenarios and SOC workflows

Demonstrations of real detections: phishing, lateral movement, brute force, exfiltration.
Setting up a structured SOC alert and response process.

Best practices and continuous security

Cost management, log retention and data protection.
Periodic rule updates and playbook tuning.

FAQ – Frequently Asked Questions about SC-5001

What is Microsoft Sentinel?

Microsoft Sentinel is Microsoft’s cloud-native solution combining SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response). It collects logs from your resources (Azure, M365, endpoints, firewalls, third-party SaaS), detects threats with analytics rules and ML, and automates response. The MFE-IT SC-5001 course trains SOC analysts in 1 day (6 h).

What is the difference between Microsoft Sentinel and Microsoft Defender?

Microsoft Defender XDR (formerly 365 Defender) focuses on detection and response across the Microsoft ecosystem (endpoints, identities, email, M365 SaaS). Microsoft Sentinel is a general-purpose SIEM that aggregates logs from any source (on-premises, multi-cloud, business applications). The two complement each other, and Sentinel can ingest Defender alerts for a unified view.

What is the KQL language in Microsoft Sentinel?

KQL (Kusto Query Language) is the query language of Microsoft Sentinel and Azure Monitor, inspired by SQL but optimised for log and time-series analysis. It lets you quickly filter, aggregate, join and visualise billions of events. Mastering KQL is essential for a Sentinel SOC analyst. MFE-IT devotes a significant part of the course to KQL queries focused on hunting and investigation.

How long is the Sentinel SC-5001 course?

The MFE-IT course lasts 1 day (6 hours), in a fully tailored format with a maximum of 3 participants per session. It covers: Sentinel architecture, data connectors, ASIM tables and schema, security-focused KQL, analytics rules and incidents, threat hunting, Jupyter notebooks, Logic Apps playbooks (SOAR) and integration with Defender XDR. 30 days of post-training support.

Upcoming SC-5001 Training Sessions

Would you like to schedule this Microsoft Sentinel SC-5001 training course on a specific date? Contact us by email or by filling out the contact form.