Skip to content

Add Microsoft Sentinel Training Lab to Tools#13848

Merged
sreedharande merged 1 commit into
Azure:masterfrom
kapetanios55:feature/sentinel-training-lab-tools
Apr 10, 2026
Merged

Add Microsoft Sentinel Training Lab to Tools#13848
sreedharande merged 1 commit into
Azure:masterfrom
kapetanios55:feature/sentinel-training-lab-tools

Conversation

@kapetanios55
Copy link
Copy Markdown
Contributor

@kapetanios55 kapetanios55 commented Mar 17, 2026

Summary

Adds the Microsoft Sentinel Training Lab as a standalone tool under \Tools/Microsoft-Sentinel-Training-Lab/.

This is a hands-on training environment that deploys a fully populated Microsoft Sentinel workspace with pre-recorded telemetry, detection rules, workbooks, playbooks, and guided exercises.

What's included

  • ARM template deployment — Deploy-to-Azure button for one-click setup
  • 14 hands-on exercises — Exploration, MDTI threat intelligence, MITRE ATT&CK coverage, automation rules, device isolation, port scan threshold tuning, Okta MFA manipulation, watchlists, cost management, table management, datalake KQL jobs, notebooks, and MCP integration
  • Telemetry ingestion — Per-file CSV download with dynamic discovery via GitHub Contents API (no ZIP downloads). Includes CrowdStrike, Okta, AWS CloudTrail, GCP Audit Logs, and custom log data
  • Detection rules — Deployment via Microsoft Graph API (UAMI or SPN auth)
  • Content — Workbook, playbook, 3 watchlists, analytic rules, hunting queries
  • Tools — Standalone \Ingest-LocalCSV.ps1\ utility for ingesting your own CSV data

Why Tools/ instead of Solutions/

This solution includes custom Azure Automation infrastructure (ingestion pipeline, Graph API-based detection rules deployment) that doesn't map to standard Content Hub content types. The V3 packaging tool is designed for standard Sentinel content and cannot handle these custom ARM deployments.

@kapetanios55 kapetanios55 requested a review from a team as a code owner March 17, 2026 11:55
@review-notebook-app
Copy link
Copy Markdown

review-notebook-app Bot commented Mar 17, 2026

Check out this pull request on  ReviewNB

See visual diffs & provide feedback on Jupyter Notebooks.

Powered by ReviewNB

Add Microsoft Sentinel Training Lab to Tools
1dfae76 
Standalone training lab solution with:
- ARM template deployment (workspace, automation, ingestion pipeline)
- 14 hands-on exercises (MDTI, MITRE, automation, MCP, notebooks, etc.)
- Per-file CSV download with dynamic discovery via GitHub API
- CrowdStrike, Okta, AWS CloudTrail, GCP Audit Logs telemetry
- Detection rules deployment via Microsoft Graph API
- Workbook, playbook, watchlists, analytic and hunting rules
- Tools/Ingest-LocalCSV.ps1 standalone ingestion utility
@kapetanios55 kapetanios55 force-pushed the feature/sentinel-training-lab-tools branch from 06bade0 to 1dfae76 Compare March 17, 2026 14:24
@kapetanios55
Copy link
Copy Markdown
Contributor Author

kapetanios55 commented Mar 18, 2026

@v-shukore one checked failed because of Github API limits can we re-run that check?

@sreedharande sreedharande merged commit afc567f into Azure:master Apr 10, 2026
24 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sreedharande sreedharande sreedharande approved these changes

Assignees

@v-shukore v-shukore

Labels

Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kapetanios55 @sreedharande @v-atulyadav @v-shukore