A Guide To Cloud

View Original

Microsoft Sentinel

Susanth Sutheesh

You can download the Microsoft Sentinel Bootcamp hands-on lab step-by-step instructions here

These labs help you get ramped up with Microsoft Sentinel and provide hands-on practical experience for product features, capabilities, and scenarios.

The lab deploys an Microsoft Sentinel workspace and ingests pre-recorded data to simulate scenarios that showcase various Microsoft Sentinel features. You should expect very little or no cost at all due to the size of the data (~10 MBs) and the fact that Microsoft Sentinel offers a 30-day free trial.

In this video, we will go through Microsoft Sentinel hands-on lab bootcamp exercises.

Prerequisites

To deploy Microsoft Sentinel Trainig Lab, you must have a Microsoft Azure subscription. If you do not have an existing Azure subscription, you can learn how to sign up for an Azure free trial here.

LAB 01: Setting up the environment

This module guides you through the deployment of the Microsoft Sentinel Training Lab solution that will be used in all subsequent modules.

Lab 01 Task List:

  • Exercise 1: The Microsoft Sentinel workspace

  • Exercise 2: Deploy the Microsoft Sentinel Training Lab Solution

  • Exercise 3: Configure Microsoft Sentinel Playbook

LAB 02: Data Connectors

In this module you will learn how to enable Data Connectors in Microsoft Sentinel to bring alerts and/or telemtry from different sources.

Lab 02 Task List:

  • Exercise 1: Enable Azure Activity data connector

  • Exercise 2: Enable Microsoft Defender for Cloud data connector

  • Exercise 3: Enable Threat Intelligence TAXII data connector

LAB 03: Analytics Rules

This module guides you through the Analytics Rule part in Microsoft Sentinel, and shows you how to create diffrent type of rules (Security Detections)

Lab 03 Task List:

  • Exercise 1: Analytics Rules overview

  • Exercise 2: Enable Microsoft incident creation rule

  • Exercise 3: Review Fusion Rule (Advanced Multistage Attack Detection)

  • Exercise 4: Create Microsoft Sentinel custom analytics rule

LAB 04: Incident Management

This module guides you through the SOC Analyst experience using Microsoft Sentinel's incident management capabilities.

Lab 04 Task List:

  • Exercise 1: Review Microsoft Sentinel incident tools and capabilities

  • Exercise 2: Handling Incident "Sign-ins from IPs that attempt sign-ins to disabled accounts"

  • Exercise 3: Handling "Solorigate Network Beacon" incident

  • Exercise 4: Hunting for more evidence

  • Exercise 5: Add IOC to Threat Intelligence

  • Exercise 6: Handover incident

LAB 05: Hunting

This module will guide you through a proactive threat hunting procedure and will review Microsoft Sentinel’s rich hunting features.

Lab 05 Task List:

  • Exercise 1: Hunting on a specific MITRE technique

  • Exercise 2: Bookmarking hunting query results

  • Exercise 3: Promote a bookmark to an incident

LAB 06: Watchlists

This module will show you how to use Microsoft Sentinel watchlists in event correlation and enrichment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks.

Lab 06 Task List:

  • Exercise 1: Create a watchlist

  • Exercise 2: Whitelist IP addresses in the analytics rule

LAB 07: Threat Intelligence

This module will demonstrate how to use Microsoft Sentinel Threat Intelligence (TI) features and product integration points. During this module we rely on TI data that we ingested in Lab 2, so please make sure you have completed that module. In this module we will also discover how to visualize and use this data as part of investigation and detection.

Lab 07 Task List:

  • Exercise 1: Threat Intelligence data connectors

  • Exercise 2: Explore the Threat Intelligence menu

  • Exercise 3: Analytics Rules based on Threat Intelligence data

  • Exercise 4: Treat Intelligence workbook

LAB 08: Microsoft Sentinel Content Hub

In this module you will learn how to use the Microsoft Sentinel Content Hub to discover and deploy new content. Our official documentation on this topic is available here: Microsoft Sentinel Content hub catalog.

Lab 08 Task List:

  • Exercise 1: Explore Microsoft Sentinel Content hub

  • Exercise 2: Deploy a new solution

  • Exercise 3: Review and enable deployed artifacts