Azure Sentinel Kyndryl Training
  • M0: Introduction
  • M1: Setup Environment
  • M2: Data Connectors
  • M3: Analytics Rules
  • M4: Incident Management
  • M5: Hunting
  • M6: Watchlists
  • M7: Threat Intelligence
  • M8: Azure Sentinel Solutions
  • Sample1: Multiple tenants and regions
  • Sample 2: Single tenant with multiple clouds
  • Workspace Design Decision
  • KQL Demo - Log Analytics Workspace
  • KQL Demo - Sentinel
Powered by GitBook
On this page
  • Introduction
  • Prerequisites
  • Getting started
  • Modules

Was this helpful?

M0: Introduction

Introduction

These labs help you get ramped up with Microsoft Sentinel and provide hands-on practical experience for product features, capabilities, and scenarios.

The lab deploys an Microsoft Sentinel workspace and ingests pre-recorded data to simulate scenarios that showcase various Microsoft Sentinel features. You should expect very little or no cost at all due to the size of the data (~10 MBs) and the fact that Microsoft Sentinel offers a 30-day free trial.

Prerequisites

To deploy Microsoft Sentinel Trainig Lab, you must have a Microsoft Azure subscription. If you do not have an existing Azure subscription, you can sign up for a free trial here.

Getting started

Below you can see all the modules that are part of this lab. Although in general they can be completed in any order, you must start with Module 1 as this deploys the lab environment itself.

Modules

Module 1 – Setting up the environment

  • The Microsoft Sentinel workspace

  • Deploy the Microsoft Sentinel Training Lab Solution

  • Configure Microsoft Sentinel Playbook

Module 2 – Data Connectors

  • Enable Azure Activity data connector

  • Enable Azure Defender data connector

  • Enable Threat Intelligence TAXII data connector

Module 3 – Analytics Rules

  • Analytics Rules overview

  • Enable Microsoft incident creation rule

  • Review Fusion Rule (Advanced Multistage Attack Detection)

  • Create custom analytics rule

  • Review resulting security incident

Module 4 – Incident Management

  • Review Microsoft Sentinel incident tools and capabilities

  • Handling Incident "Sign-ins from IPs that attempt sign-ins to disabled accounts"

  • Handling "Solorigate Network Beacon" incident

  • Hunting for more evidence

  • Add IOC to Threat Intelligence

  • Handover incident

Module 5 – Hunting

  • Hunting on a specific MITRE technique

  • Bookmarking hunting query results

  • Promote a bookmark to an incident

Module 6 – Watchlists

  • Create a Watchlist

  • Whitelist IP addresses in the analytics rule

Module 7 - Threat Intelligence

  • Threat Intelligence data connectors

  • Explore the Threat Intelligence menu

  • Analytics Rules based on Threat Intelligence data

  • Threat Intelligence Workbook

Module 8 - Microsoft Sentinel Content hub

  • Explore Microsoft Sentinel Content hub

  • Deploy a new solution

  • Review and enable deployed artifacts

NextM1: Setup Environment

Last updated 2 years ago

Was this helpful?