Thursday, November 11, 2021

Learning with the Microsoft Sentinel Training Lab

In our conversations with Microsoft Sentinel customers/partners, one very common ask is: “How do I get hands-on experience with Microsoft Sentinel? Is there a lab that I can spin Up and get going?“ 


In these cases, we normally suggest the customer/partner to spin up a workspace in their Azure subscription and start connecting all the typical data sources, like Azure AD, Azure Activity, Office 365. Then they can enable alerts and try to generate telemetry that triggers incidents to triage, investigate or do hunting on. 

And yes, that is a possible solution, but it does involve a lot of manual tasks. It’s also not easy to generate the appropriate data that will trigger our analytics rules and provides a complete experience on how to use the product.  

Because of this, we are happy to announce the Microsoft Sentinel Training Lab solution! This solution ingests sample data into your Microsoft Sentinel workspace which will trigger incidents that allow you to explore Microsoft Sentinel features without Additional effort. 


To help you more easily onboard to Microsoft Sentinel, you can use this lab in Combination with our 31-day free trial. For more information on the free trial please visit Our pricing page 


How do I use it? 

To use this solution, you need an existing Microsoft Sentinel workspace. Doesn’t matter if it already has data or if it’s brand new, you can deploy this solution on top of the workspace and all the artifacts will be deployed on top of it. 

This solution also comes with a training guide, that provides step-by-step instructions on how to navigate the different features of the product, while using the artifacts created at deployment time. The scenarios explained in the guide are built to simulate real world incidents, so you can get a feel of how Microsoft Sentinel works. This guide currently includes a total of 8 modules, reviewing topics like incident management, hunting and threat intelligence among others. 

To deploy the training lab, go to the Content Hub from the Microsoft Sentinel portal and search for “Training Lab”:




Click Install and follow the instructions in the wizard. If you already have an existing Microsoft Sentinel workspace to deploy this lab to, you can jump directly to our step-by-step guide here. If you need to deploy a workspace, start here. 

Important note: the full deployment process takes ~15min, the main reason behind this, is to make sure that once you start using the lab, all the data is fully ready for you to use.  


What does it include? 

This training package includes pre-recorded data that will be ingested into the selected Microsoft Sentinel Workspace. Don’t worry about ingestion costs, the sample data is only 20 MBs in size! This pre-recorded data will land in the following custom log tables: SecurityEvent_CL, SigninLogs_CL, OfficeActivity_CL, AzureActivity_CL, Cisco_Umbrella_dns_CL. 

On top of this ingested data, the solution deploys several artifacts to simulate scenarios that showcase various Microsoft Sentinel features. These artifacts are: 

  • 3 x Analytics Rules 
  • 2 x Hunting queries 
  • 2 x Parsers 
  • 1 x Workbook 
  • 1 x Playbook 

During the guided lab you will also deal with Data Connectors, Bookmarks, and other parts of the product. 


How does it work?  

Microsoft Sentinel Training Lab stores the telemetry to be ingested in CSV format in here. At deployment time, a PowerShell script uses the Log Analytics Data Collector API to push that telemetry into the Microsoft Sentinel workspace. As you may know, if you send telemetry using this API, the data will land in a custom log table. The rest of the artifacts (analytics rules, hunting queries, workbook, etc.) have been modified to use these custom log tables so the experience is completely transparent for you :smiling_face_with_smiling_eyes: 

As mentioned before, the deployment takes around 15 minutes. This is intended because the data can take a while to be available for queries and we want to make sure the lab is fully usable when the deployment finishes. 


In summary 

The new Microsoft Sentinel Training lab solution allows users to have a full Microsoft Sentinel hands-on experience without having to deploy any additional resources or having to generate any data.   

As always, we are open to feedback and suggestions about this training lab, to do so you can open a GitHub issue here. 

Have a great learning! 


Javier and Yaniv 

Posted at