Module 1: Setting up the Environment
Last updated
Last updated
This module guides you through the deployment of the Microsoft Sentinel Training Lab solution that will be used in all subsequent modules.
To get started with Microsoft Sentinel, you must have a Microsoft Azure subscription. If you do not have a subscription, you can sign up for a free account here.
Permissions to create a resource group in your Azure subscription.
In this exercise we will show you how to create a brand new Microsoft Sentinel workspace.
Navigate to the Azure Portal and log in with your account.
In the top search bar, type Microsoft Sentinel and click on Microsoft Sentinel.
In the Microsoft Sentinel screen, click Create at the top left.
You can choose to add Microsoft Sentinel to an existing Log Analytics workspace or build a new one. We will create a new one, so click on Create a new workspace.
In the Create Log Analytics workspace page, fill out the form as follows:
Subscription: choose the Azure subscription where you would like to deploy the Microsoft Sentinel workspace
Resource Group: select an existing resource group or create a new resource group (recommended) that will host the lab resources
Region: from the drop down, select the Azure region where the lab will be located
Workspace Name: provide a name for the Microsoft Sentinel workspace . Please note that the workspace name should include 4-63 letters, digits or '-'. The '-' shouldn't be the first or the last symbol. Click Review + create and then Create after the validation completes. The creation takes a few seconds.
You will be redirected back to the Add Microsoft Sentinel to a workspace. Type the name of your new workspace in the search box, select your workspace and click Add at the bottom.
Your Microsoft Sentinel workspace is now ready to use!
In this exercise you will deploy the Training Lab solution into your existing workspace. This will ingest pre-recorded data (~20 MBs) and create several other artifacts that will be used during the exercises.
In the Azure Portal, go to the top search bar and type Microsoft Sentinel Training. Select the Microsoft Sentinel Training Lab Solution (Preview) marketplace item on the right.
Read the solution description and click Create at the top.
In the Basics tab, select the Subscription, Resource Group and Workspace that you created in Exercise 1, or the details for your existing workspace. Optionally, review the different tabs (Workbooks, Analytics, Hunting Queries, Watchlists, Playbooks) in the solution. When ready, click on Review + create.
Once validation is ok, click on Create. The deployment process takes about 15 minutes, this is because we want to make sure that all the ingested data is ready for you to use once finished.
Once the deployment finishes, you can go back to Microsoft Sentinel and select your workspace. In the home page you should see some ingested data and several recent incidents. Don't worry if you don't see 3 incidents like in the screenshot below, they might take a few minutes to be raised.
In this exercise, we will configure a Playbook that will be later used in the lab. This will allow the playbook to access Sentinel.
Navigate to the resource group where the lab has been deployed.
In the resource group you should see an API Connection resource called azuresentinel-Get-GeoFromIpAndTagIncident, click on it.
Click on API Connection. Click on azuresentinel-Get-GeoFromIpAndTagIncident and click on Edit API Connection on the new section.
Click on Authorize and a new window will open to choose an account. Pick the user that you want to authenticate with. This should normally be the same user that you're logged in with.
Click Save.
