Exercise 01: Sentinel onboarding and workspace configuration

Exercise learning objectives

• Onboard Microsoft Sentinel to the designated Log Analytics workspace.
• Validate baseline configuration of the workspace and associated resources.
• Explore the Microsoft Defender XDR integration and confirm incident replication.
• Become familiar with the Microsoft Sentinel interface and foundational components.

Licensing and environment

• An active Azure subscription.
• Access to the Azure portal with permissions to deploy and configure Microsoft Sentinel.
• A Log Analytics workspace available or created as part of the lab environment.
• Microsoft Defender for Cloud enabled to support integrated security operations.
• Network access sufficient to deploy and manage Azure resources.

Roles and permissions

• Lab environment: Owner or Contributor on the subscription for full deployment capability.
• Real-world deployments:
  • Contributor on the resource group containing the workspace.
  • Security Reader or Security Administrator (for validating integration with Defender XDR).
  • Log Analytics Contributor or above to configure Sentinel connectors and workspace settings.

Estimated time

Duration: 30–40 minutes

---

Table of contents

• 01: Validate environment and add Microsoft Sentinel
• 02: Enable Microsoft Sentinel integration in Defender XDR
• 03: Enable Data Lake integration
• 04: Validate alert and incident flow