Sign In
Automation

For Security Engineers, Detection Engineers, and Architects Who Need to Scale Operations Without Scaling Headcount

Aligned to STIX 2.1MISPMITRE ATT&CK

Security Automation with Sentinel

Connect your detection rules to automated response — before the analyst opens the alert.

Build security automation that enriches alerts, collects evidence, contains threats, and escalates incidents — automatically, at machine speed. Design and deploy Sentinel playbooks, Logic Apps, and Azure Functions that auto-revoke compromised sessions, isolate endpoints, collect forensic evidence at alert time, and route incidents to the right team.

Start Free — No Account Needed See Pricing
What you'll deploy
Sentinel playbooks for automated containment and evidence collection
Logic Apps workflows triggered by Sentinel analytics rules
Azure Functions for TI enrichment and evidence packaging
Tiered automation framework with confidence thresholds and approval gates
AUTOMATION TIERS — RISK vs SPEED TIER 1 — ENRICHMENT (Always Safe) IP reputation · User risk score · Device compliance · TI correlation · Alert history Zero blast radius · Automate everything · 30 seconds to enriched incident TIER 2 — COLLECTION & NOTIFICATION (Low Risk) Evidence auto-capture · Teams alerts · Ticket creation · Escalation · MSSP notify Low blast radius · Basic validation · Evidence captured at alert time, not triage time TIER 3 — CONTAINMENT (High Risk — Judgment Required) Session revoke · Endpoint isolate · Account disable · Firewall block · OAuth revoke High blast radius · Confidence thresholds · Approval gates · Blast radius assessment 14 modules 3 tiers Deployable 36–40 hours From 45-minute MTTA to 5-minute enriched, investigation-ready incidents
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Build Sentinel playbooks that auto-enrich, contain, and escalate
Deploy auto-revocation for compromised sessions at alert time
Isolate endpoints automatically via Defender for Endpoint integration
Collect forensic evidence at alert time — before the analyst arrives
Test and govern automation to prevent blast radius failures
Premium tier | 14 modules across 3 tiers | 36–40 hours at your own pace | 36 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 15 modules

Who this course is for

“Every incident starts with the same 15 minutes of manual lookups.” You check the user’s risk score, pull their recent sign-ins, look up the IP, check device compliance, then copy it all into the ticket. This course builds the playbook that does those lookups in 30 seconds and pre-populates the incident before you open it.

“We have Sentinel playbooks but nobody trusts them enough to enable them.” They were built without confidence thresholds, blast radius assessment, or approval gates. This course teaches the governance framework that makes automation trustworthy — so containment actions run when they should and stop when they shouldn’t.

“I can build detection rules but I don’t know how to connect them to automated response.” Your Sentinel analytics rules fire alerts. The alerts sit in the queue. Nobody has wired the output to a Logic App that collects evidence, enriches the entity, and notifies the right team. This course bridges detection to response.

“Management wants MTTR metrics and I have no way to measure them.” You can’t report what you don’t track. This course builds the monitoring layer — playbook success rates, containment timing, enrichment latency, and the KQL dashboards that show leadership what automation is doing.

“I’m a SOC analyst and I want to move into security engineering.” Security automation is the bridge from operations to engineering. You go from running manual procedures to designing the Logic Apps, Azure Functions, and governance frameworks that scale the SOC. This course builds that skillset.

“We automated containment once and it disabled 40 accounts during a false positive.” That’s the blast radius problem. This course teaches you to classify every automation by risk tier, set confidence thresholds, build approval gates for high-impact actions, and design rollback procedures — so automation helps instead of causing incidents.

Whatever your background — if the subject interests you and you’re willing to put in the work, this course is for you.

Before and after this course

Before

Every incident starts with 15 minutes of manual enrichment — user risk, sign-in history, IP reputation, device compliance. By the time you’ve gathered context, the attacker has moved laterally.

Evidence is collected hours after the alert fires. The volatile artifacts — process trees, network connections, memory state — are gone by the time the analyst gets to triage.

Your playbooks exist as Word documents in SharePoint. The runbook says “revoke sessions and isolate the endpoint” but every analyst does it differently, at different speeds, and sometimes not at all.

Leadership asks for MTTR and you open a spreadsheet. There are no automated metrics, no playbook success tracking, no way to prove that your SOC is getting faster.

After

Incidents arrive pre-enriched. IP reputation, user risk, device compliance, sign-in anomalies — all populated before the analyst opens the case. Triage starts at the decision, not the data gathering.

Evidence collection triggers at alert time. Cloud sign-ins, endpoint process trees, email activity, and network connections are captured and packaged automatically with SHA-256 verification.

Tier 1 enrichment runs automatically. Tier 2 collection runs automatically. Tier 3 containment runs with approval gates and confidence thresholds — consistent, auditable, and governed by the framework you built.

Playbook success rates, containment timing, enrichment latency, and MTTR are tracked automatically. You show leadership a KQL dashboard, not a spreadsheet.

How the course works

Three tiers build from zero-risk enrichment to governed containment. Each tier produces deployable automation you test in your own Sentinel workspace:

Tier 1
Enrichment & Triage

The automation problem, Logic Apps fundamentals, entity enrichment playbooks, IP reputation, user risk scoring, device compliance checks. Zero blast radius — automate everything at this tier.

Tier 2
Collection & Notification

Evidence auto-capture at alert time, Teams and email notification, ticket creation, escalation workflows, MSSP integration. Low blast radius with basic validation gates.

Tier 3
Containment & Governance

Session revocation, endpoint isolation, account disabling, OAuth revocation. Confidence thresholds, approval gates, blast radius assessment, rollback procedures, and program metrics.

What the content looks like

This is a real automation tier assessment from the containment module. Before you wire any Sentinel analytics rule to a containment playbook, you classify the action by blast radius and set the governance controls that prevent automation from causing the incident:

Automation Tier Assessment — From Module 9: Containment Governance

Action: Revoke all active sessions for triggered user (Invoke-MgBetaUserInvalidateAllRefreshToken)

Tier: 3 — Containment (high blast radius, judgment required)

Blast radius: User loses access to all M365 services. Active Teams calls disconnect. Unsaved work in web apps lost. Re-authentication required on all devices.

Confidence threshold: Trigger only when analytics rule severity = High AND enrichment anomaly score = High AND user is NOT in SG-VIP-Approval-Required

Approval gate: VIP users require Teams approval from SOC lead (15-minute timeout, auto-deny on expiry)

Rollback: Re-enable sessions via Logic App with incident comment documenting false positive. Notify user via automated email with re-authentication instructions.

Every containment action in this course goes through this assessment before it becomes a playbook. The blast radius tells you what breaks. The confidence threshold tells you when to fire. The approval gate tells you who decides. Every module teaches at this level — deployable automation with the governance logic built in.

Lab Pack — Build Real Automation in Your Own Sentinel Workspace

Downloadable lab pack with everything you need to build, test, and deploy the SA automation stack in your own Microsoft Sentinel environment.

Lab environment (free): M365 E5 developer tenant + Azure free subscription + Sentinel workspace with 5 GB/day free ingestion. No local VMs required — all automation runs in the cloud.

Watchlist seed data (5 CSVs): VIP-Users (executive accounts requiring approval gates), Known-Safe-IPs (corporate network ranges), High-Risk-Assets (servers requiring blast radius assessment), Containment-Eligible-Rules (analytics rules validated for automation tiers), CDN-Ranges (cloud provider IP exclusions).

KQL query packs (11 queries): Detection triggers, enrichment queries, evidence collection queries, health monitoring (playbook success rate, containment metrics, suppression audit), and multi-signal correlation.

Deployable automation: ARM template for SA2 enrichment playbook with staging and production parameter files. Python Azure Functions for TI enrichment and evidence packaging.

Scripts: Watchlist deployment, test incident generator (10 capstone scenarios), sample data generator (30 days of NE telemetry with planted AiTM attack), and full-stack automation deployment.

Security Automation Lab Pack
5 watchlists · 11 KQL queries · ARM templates · Azure Functions · 10 capstone scenarios
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy playbooks, automation rules, KQL queries, and Azure Functions from this course in your organization’s production environment. You may not redistribute course content, share account credentials, or republish course materials.

Automation artifacts: All playbooks and functions are provided as-is. Test every automation in a staging workspace before production deployment. Automated containment actions have business impact — verify blast radius before enabling. Ridgeline Cyber Defence is not responsible for operational impact from deployed automation.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Course launch. 14 modules (SA0–SA13). 7 deployable Logic App playbooks, 4 Azure Functions, 11 KQL query packs, 5 governance watchlists.

This course is actively maintained. Automation playbooks are updated as the Microsoft security platform evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.