Agent Foskett Academy • Microsoft Sentinel

Microsoft Sentinel Academy.

The KQL Academy taught analysts how to ask better questions of security data.

Now Agent Foskett moves into the platform that turns those questions into operational security monitoring.

Microsoft Sentinel brings together SIEM, SOAR, analytics rules, incidents, automation, workbooks and threat hunting into one cloud-native security operations platform.

This Academy will teach security analysts how to build Sentinel the practical way: one connector, one rule, one incident and one investigation at a time.

Agent Foskett Microsoft Sentinel Academy learning path
Academy overview

Learn Microsoft Sentinel from the ground up, with practical lessons covering workspace design, data ingestion, analytics rules, incidents, automation and investigation workflows.

Understand Microsoft Sentinel architecture
Connect Microsoft security data sources
Create analytics rules and incidents
Build workbooks, playbooks and hunting workflows

Microsoft Sentinel Academy Learning Path

Our practical lessons are now published across two structured modules, with more to follow.
Module 1 establishes the Sentinel foundations. Module 2 moves into operational SOC workflows, dashboards, automation, playbooks and investigation enrichment.
 
Module 1 — Microsoft Sentinel Foundations ✅ Complete Six lessons covering Sentinel fundamentals, Defender XDR integration, Log Analytics, incidents and analytics rules.
✅ Module 1
Lesson 1 — What is Microsoft Sentinel? Learn what Microsoft Sentinel is, how SIEM and SOAR work, and how Sentinel fits alongside Microsoft Defender XDR in a modern Security Operations Centre.
✅ Module 1
Lesson 2 — Microsoft Sentinel vs Microsoft Defender XDR Understand where the platforms overlap, where they differ, and why mature SOCs often deploy both.
✅ Module 1
Lesson 3 — Log Analytics Workspace Basics Learn how Sentinel stores security data in Log Analytics, including tables, retention, ingestion and workspace design.
✅ Module 1
Lesson 4 — Connecting Microsoft Defender XDR Learn how Defender XDR incidents, alerts, entities and telemetry become part of broader Sentinel investigations.
✅ Module 1
Lesson 5 — Understanding Microsoft Sentinel Incidents Understand incident severity, status, ownership, entities, alerts and repeatable analyst investigation workflows.
✅ Module 1
Lesson 6 — Your First Analytics Rule Turn KQL into scheduled detections using frequency, lookup periods, thresholds, entity mapping and incident creation.
Module 2 — Sentinel Operations 🚀 In Progress Operational lessons covering data ingestion, workbooks, automation rules, Logic Apps playbooks, Watchlists and Threat Intelligence.
🚀 Module 2
Lesson 7 — Microsoft Sentinel Data Connectors Learn how Microsoft, Azure and third-party data sources send telemetry into Log Analytics and Sentinel.
🚀 Module 2
Lesson 8 — Microsoft Sentinel Workbooks and Dashboards Use KQL, charts, parameters and visualisations to monitor incidents, connectors and SOC performance.
🚀 Module 2
Lesson 9 — Microsoft Sentinel Automation Rules Automate owner assignment, tags, severity changes, status updates, comments and playbook execution.
🚀 Module 2
Lesson 10 — Microsoft Sentinel Playbooks and Logic Apps Use Azure Logic Apps to automate notifications, enrichment, ticketing and repeatable incident response workflows.
🚀 Module 2
Lesson 11 — Microsoft Sentinel Watchlists Learn how Watchlists add business context to Sentinel investigations using VIP users, critical assets, trusted IP addresses, service accounts and other organisation-specific reference data.
🚀 Module 2
Lesson 12 — Microsoft Sentinel Threat Intelligence Learn how Microsoft Sentinel uses Threat Intelligence feeds and Indicators of Compromise (IOCs) to detect known malicious IP addresses, domains, URLs, file hashes and other attacker infrastructure.

Microsoft Sentinel Academy roadmap

The Academy now combines completed foundation lessons with an expanding operational learning path covering data connectors, workbooks, automation, playbooks, detection engineering and threat hunting.
Module 1 — Sentinel FoundationsWhat Sentinel is, how it differs from Defender XDR, how Log Analytics fits in and how cloud-native SIEM changes security operations.
Module 2 — Sentinel OperationsData connectors, workbooks, automation rules, Logic Apps playbooks and repeatable SOC workflows.
Module 3 — Analytics RulesBuilding scheduled rules, near-real-time detections, entity mapping, alert grouping, incident creation and MITRE ATT&CK alignment.
Module 4 — Incidents and InvestigationWorking alerts, entities, bookmarks, timelines, comments, owner assignment and repeatable investigation processes inside Sentinel.
Module 5 — Workbooks and DashboardsTurning security data into operational views for SOC teams, managers, threat hunters and incident responders.
Module 6 — Automation and SOARUsing automation rules, Logic Apps and playbooks to enrich incidents, notify responders, isolate risk and standardise response actions.

How Sentinel connects to the KQL Academy

The existing KQL Academy becomes the foundation. Sentinel then applies those skills to operational monitoring, detections and investigations.
KQL FoundationsSentinel analytics rules and hunting queries rely on KQL, making the original Academy the natural prerequisite.
Enterprise Hunting QueriesAdvanced KQL patterns can be reused inside Sentinel hunting, analytics rules and workbook queries.
Defender XDR WorkflowSentinel expands the investigation view by bringing Microsoft and non-Microsoft signals into one SOC workflow.

Sentinel skills this Academy will teach

The goal is not just to explain the portal. The goal is to teach operational Sentinel thinking.
SIEM architectureUnderstand workspaces, data connectors, retention, tables, ingestion cost and deployment design.
Detection engineeringCreate analytics rules that map entities, reduce false positives, generate useful incidents and align with MITRE ATT&CK.
SOC operationsManage incidents, triage alerts, assign owners, investigate entities and document response decisions.
Threat huntingUse KQL, bookmarks, hunting queries and investigation pivots to proactively find suspicious activity.
AutomationUse automation rules and playbooks to notify responders, enrich incidents, create tickets and standardise response actions.
ReportingBuild workbooks that show security posture, incident trends, detection coverage and operational SOC performance.

Final thought

KQL helps analysts find evidence. Sentinel helps security teams operationalise that evidence.
Agent Foskett mindsetA query becomes more powerful when it becomes part of a repeatable SOC workflow. Sentinel is where hunting logic becomes detection, investigation and response.
New Academy SeriesThe Microsoft Sentinel Academy begins the next chapter of Agent Foskett, expanding from KQL learning into cloud-native SIEM, SOAR and enterprise security operations.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Microsoft Sentinel Academy by Agent Foskett

The Agent Foskett Microsoft Sentinel Academy teaches security analysts how to use Microsoft Sentinel for SIEM, SOAR, threat hunting, analytics rules, incidents, data connectors, workbooks, watchlists and automation. Published lessons now cover Sentinel fundamentals, Defender XDR integration, Log Analytics, incidents, analytics rules, data connectors, workbooks, automation rules and Logic Apps playbooks.

Learn Microsoft Sentinel for security operations

This Sentinel learning path explains Log Analytics workspaces, Microsoft Defender XDR connectors, analytics rules, incident investigation, automation rules, Logic Apps playbooks, threat intelligence, hunting queries and operational SOC workflows.

Microsoft Sentinel training for Defender XDR and KQL analysts

The Microsoft Sentinel Academy builds on the Agent Foskett KQL Academy by showing defenders how to turn KQL queries into detections, workbooks, incident response processes and enterprise-scale security monitoring.