Microsoft Sentinel Training Lab: Federation and Split Transformation Capabilities Expanded

What Changed

The Microsoft Sentinel Training Lab now includes two new exercises demonstrating advanced data management capabilities:

Exercise 15 — Data Federation with ADLS Gen2

• Shows how to federate external data from Azure Data Lake Storage Gen2 into Sentinel
• Includes sample delta parquet datasets to demonstrate timestamp behavior differences
• Users practice creating connector instances and comparing federation timestamp handling
• Demonstrates querying security events alongside Sentinel tables without full ingestion

Exercise 16 — Data Transformation: Split Ingestion by Tier

• Covers creating split transformation rules on CommonSecurityLog
• Routes denied/dropped firewall events to Analytics tier, allows to Data lake only
• Demonstrates the new _SPLT_CL table naming convention and new-data-only limitations
• Focuses on cost optimization through tiered ingestion strategies

Additional Updates

Detection Rules Enhancement: Five existing detection rules received entity mapping improvements:

• Added RemoteIP entity extraction to CrowdStrike execution and credential access rules
• Enhanced phishing email rule with recipient email address, filename, and URL entities
• Improved correlation capabilities for multi-stage attack scenarios

Exercise Maintenance: Updated exercises E02 and E03 with current UI terminology and added Content Hub installation step for Threat Intelligence solution dependency.

Affected Files

Tools/Microsoft-Sentinel-Training-Lab/Artifacts/DetectionRules/rules.json
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/Telemetry/BuildIn/CrowdStrikeDetections.csv
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E01_exploration.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E02_threat_intelligence_mdti.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E05_device_isolation_response.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E12_datalake_port_diversity.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E13_notebooks.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E14_MCP.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E15_federation_adls.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E16_split_transformation.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage23.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage24.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage39.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage40.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage41.png
Tools/Microsoft-Sentinel-Training-Lab/Images/OnboardingImage42.png
Tools/Microsoft-Sentinel-Training-Lab/README.md
(packaging artefacts: federation_sample_data.zip)