Microsoft Sentinel Training Lab: Comprehensive Hands-On Security Operations Environment Now Available

What Changed

New comprehensive training environment for Microsoft Sentinel deployed under Tools/ directory. Includes ARM template-based deployment, 14 structured exercises, pre-recorded security telemetry (~10 MB), and practical workflows covering detection engineering, threat hunting, and data lake operations.

Training Content

Core Infrastructure

One-click ARM deployment with Log Analytics workspace provisioning
Azure Automation runbooks for telemetry ingestion via Logs Ingestion API
Microsoft Graph API integration for custom detection rules deployment
Support for both User-Assigned Managed Identity and Service Principal authentication

Security Data Sources

Pre-recorded telemetry from multiple security platforms:

CrowdStrike: Alerts, detections, cases, hosts, and vulnerabilities
AWS CloudTrail: Cloud audit events
GCP Audit Logs: Google Cloud platform events
Okta: Identity and authentication logs
Palo Alto: Network security events
Custom tables: Specialized attack scenarios and hunting data

Detection Content

Custom analytic rules targeting MITRE ATT&CK techniques across multiple tactics
Investigation workbook for incident analysis
Response playbook for automated geo-tagging
Three watchlists (VIP users, high-value assets, known bad IPs)
Hunting queries for OAuth applications and Solorigate indicators

Exercises Coverage

Foundation (1-4): Data exploration, threat intelligence integration, MITRE coverage analysis, automation rules

Detection Engineering (6-8): Port scan threshold tuning, Okta MFA manipulation detection, watchlist integration

Operations (9-10): Cost analysis, table tier management, retention optimization

Data Lake (11-13): KQL jobs, aggregated detection approaches, Jupyter notebooks with PySpark

Integration (14): AI assistant capabilities demonstration

Deployment Requirements

Azure subscription with Owner/Contributor role
Microsoft Sentinel workspace onboarded to Defender XDR as primary workspace
For custom detection rules: CustomDetection.ReadWrite.All Graph permission via UAMI or Service Principal
Optional: Microsoft Sentinel Data Lake for exercises 11-13

Security Training Value

This lab addresses the practical skills gap in security operations by providing hands-on experience with real telemetry patterns. The pre-recorded data represents authentic attack scenarios including credential compromise (T1078), network reconnaissance (T1046), data exfiltration (T1041), and defense evasion (T1562) techniques — allowing SOC teams to practice detection tuning and response workflows without live threat exposure.

Affected Files

Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/WorkspaceLakeUsage-ARM.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/alertRules.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/deployDetectionRules.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/ingestEvents.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/playbook.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/watchlist.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/workbook.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/workspace.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/DeployDetectionRules.ps1
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/IngestCSV.ps1
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Scripts/RunIngest.ps1
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/AWSCloudTrail.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CommonSecurityLog.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeAlerts.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeCases.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeDetections.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeHosts.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeVulnerabilities.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/GCPAuditLogs.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/SecurityEvents.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/AuditLogsHunting_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/AzureActivity_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/MailGuard365_Threats_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/OfficeActivity_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/OktaV2_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/SEG_MailGuard_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/azureActivity_adele_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/disable_accounts_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/model_evasion_detection_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/office_activity_inbox_rule_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/sign-in_adelete_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/Custom/solarigate-beacon-umbrella_CL.csv
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/azuredeploy.json
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E04_automation_rules.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E06_port_scan_threshold_tuning.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E07_okta_mfa_manipulation.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E08_watchlist_integration.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E09_cost_management.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E10_table_management.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E11_datalake_kql_jobs.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E13_notebooks.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E14_MCP.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage1.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage10.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage11.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage12.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage13.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage14.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage15.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage16.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage17.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage18.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage19.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage2.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage20.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage21.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage22.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage23.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage24.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage25.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage26.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage27.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage28.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage29.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage3.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage30.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage31.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage32.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage33.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage34.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage35.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage4.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage5.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage6.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage7.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage8.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage9.png
Tools/Microsoft-Sentinel-Training-Lab/Images/sentinel-labs-logo.png
Tools/Microsoft-Sentinel-Training-Lab/MCP/demo-prompts.md
Tools/Microsoft-Sentinel-Training-Lab/Notebook/Lab_Notebook.ipynb
Tools/Microsoft-Sentinel-Training-Lab/README.md
Tools/Microsoft-Sentinel-Training-Lab/Tools/Ingest-LocalCSV.ps1
Tools/Microsoft-Sentinel-Training-Lab/Tools/ToolInstructions.md
Tools/Microsoft-Sentinel-Training-Lab/Watchlists/high_value_assets.csv
Tools/Microsoft-Sentinel-Training-Lab/Watchlists/known_bad_ips.csv
Tools/Microsoft-Sentinel-Training-Lab/Watchlists/vip_users.csv
(packaging artefacts: ReleaseNotes.md, mainTemplate.json)

What Changed#

Training Content#

Core Infrastructure#

Security Data Sources#

Detection Content#

Exercises Coverage#

Deployment Requirements#

Security Training Value#

Affected Files#