Module 1: SA1: Sentinel Automation Fundamentals

Module Overview

SA0 established the framework — the three tiers, the confidence thresholds, the blast radius assessment. This module puts that framework into practice. You will build your first Sentinel automation rule in under 5 minutes, then build your first Logic App playbook that enriches incidents with user risk data and posts the results to Teams.

This module covers the mechanical foundations: how automation rules work, how Logic Apps work, how authentication and permissions connect playbooks to Microsoft APIs, how entity extraction provides the data playbooks need, how error handling prevents silent failures, how testing validates behavior before production, how monitoring detects failures in production, and how cost management keeps playbook expenses predictable.

By the end of this module, you have two working automations deployed in your Sentinel workspace: an automation rule that accelerates AiTM triage, and a playbook that enriches every incident with user context. These are Tier 1 automations — zero blast radius, immediate value.

What you will build in this module

• Your first automation rule — changes AiTM alert severity to High, assigns to senior analyst, adds tag
• Your first playbook — enriches incidents with user risk score, sign-in history, and device compliance, then posts to Teams
• Automation health monitoring — KQL queries that detect playbook failures and track execution metrics

Subsections

Sections in this module