What Changed

Comprehensive editorial and functional improvements to the Microsoft Sentinel Training Lab solution, including standardized detection rule naming, enhanced entity correlation, and updated cost management exercises.

Detection Logic Updates

Enhanced entity correlation across training detection rules:

  • Added SHA256, FileName, and ProcessCommandLine entity mapping to Stage 2/3 CrowdStrike rules for improved incident investigation
  • Added RemoteIP entity mapping to Stage 6 data exfiltration rule
  • Standardized rule naming convention to “Lab Stage # - Name (Source)” format across all 12 detection rules
  • Updated alert titles to match standardized naming convention

Cost Management Enhancement

Updated Exercise 9 with new XDR Cost Management dashboard features:

  • Added threshold policies configuration section covering policy enforcement and alert percentage settings
  • Removed hardcoded pricing from KQL queries, now linking to current pricing pages
  • Added new screenshots (OnboardingImage37, OnboardingImage38) for updated UI elements
  • Updated automation schedule timers: ingestion T+5m, detection T+15m

Training Content Improvements

  • Simplified onboarding from 8 exercises to 4 for better learning progression
  • Added exercise dependency table to README for clearer learning path guidance
  • Standardized metadata format across all exercises (Topic/Rule, Difficulty, Prerequisites)
  • Added “Next Steps” navigation linking between exercises
  • Enhanced accessibility with descriptive alt text for images
  • Fixed confusing Optional/Requires title in Exercise 5

Infrastructure maintenance includes BOM removal from mainTemplate.json and cleanup of unused images.

Affected Files

Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E04_automation_rules.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E06_port_scan_threshold_tuning.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E07_okta_mfa_manipulation.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E08_watchlist_integration.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E09_cost_management.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E10_table_management.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E11_datalake_kql_jobs.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage32.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage33.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage37.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage38.png
Tools/Microsoft-Sentinel-Training-Lab/README.md
(packaging artefacts: mainTemplate.json)