M1: Setup Environment
Last updated
Last updated
This module guides you through the deployment of the Microsoft Sentinel Training Lab solution that will be used in all subsequent modules.
To get started with Microsoft Sentinel, you must have a Microsoft Azure subscription. If you do not have a subscription, you can sign up for a free account here.
Permissions to create a resource group in your Azure subscription.
In this exercise we will show you how to create a brand new Microsoft Sentinel workspace. If you already have a pre-existing one that you would like to use, you can skip to Exercise 2.
Navigate to the Azure Portal and log in with your account.
In the top search bar, type Microsoft Sentinel and click on Microsoft Sentinel.
In the Microsoft Sentinel screen, click Create at the top left.
You can choose to add Microsoft Sentinel to an existing Log Analytics workspace or build a new one. We will create a new one, so click on Create a new workspace.
6. In the Create Log Analytics workspace page, fill out the form as follows:
Subscription: choose the Azure subscription where you would like to deploy the Microsoft Sentinel workspace
Resource Group: select an existing resource group or create a new resource group (recommended) that will host the lab resources
Region: from the drop down, select the Azure region where the lab will be located
Workspace Name: provide a name for the Microsoft Sentinel workspace. Please note that the workspace name should include 4-63 letters, digits or '-'. The '-' shouldn't be the first or the last symbol
8. Click Review + create and then Create after the validation completes. The creation takes a few seconds.
9. You will be redirected back to the Add Microsoft Sentinel to a workspace. Type the name of your new workspace in the search box, select your workspace and click Add at the bottom.
Your Microsoft Sentinel workspace is now ready to use!
In this exercise you will deploy the Training Lab solution into your existing workspace. This will ingest pre-recorded data (~20 MBs) and create several other artifacts that will be used during the exercises.
Go to your SEntinel Overview Section and Under Content Management, Select Content Hub.
2. In the Search Bar, Enter "Training Lab" .
3. Make Sure you Click on Install.
4. Deploy the Solution.
In this exercise, we will configure a Playbook that will be later used in the lab. This will allow the playbook to access Sentinel.
Navigate to the resource group where the lab has been deployed.
In the resource group you should see an API Connection resource called azuresentinel-Get-GeoFromIpAndTagIncident, click on it.
Click on Edit API connection under General.
Click on Authorize and a new window will open to chose an account. Pick the user that you want to authenticate with. This should normally be the same user that you're logged in with.
Click Save.
You can now continue to Module 2 - Data Connectors