A huge thanks to Paul Kew - this lab wouldn't have been possible without his contributions.
Security operations is one of those things that’s hard to learn from slides alone. You need to feel what it’s like to triage a multi-stage incident, tune a noisy detection rule, or trace an attacker pivoting from an endpoint to the cloud. That’s exactly why we built the Microsoft Sentinel Training Lab.
What Is It?
The Sentinel Training Lab is an open-source, deploy-in-minutes training environment that gives you a fully functional Microsoft Sentinel workspace loaded with realistic attack telemetry. One click deploys everything - pre-recorded data from six different security products, custom detection rules that fire real incidents, workbooks, watchlists, and playbooks.
No need to set up agents, configure connectors, or simulate attacks yourself. The lab does all of that for you so you can focus on what matters: learning how to detect, investigate, and respond.
What’s Inside?
The lab simulates a multi-stage attack that spans six data sources — just like what a real SOC analyst would encounter:
- CrowdStrike — endpoint detections (malware execution, credential dumping)
- Palo Alto Networks — firewall logs (port scans, data exfiltration, C2 traffic)
- Okta — identity events (account takeover, MFA manipulation)
- AWS CloudTrail — cloud activity (IAM escalation, backdoor accounts)
- GCP Audit Logs — cloud infrastructure abuse (service account creation, firewall changes)
- MailGuard365 — email security (phishing campaigns bypassing filters)
All of this data feeds into 22 custom detection rules that automatically generate a unified, multi-stage incident in Microsoft Defender XDR - with correlated alerts, entity graphs, and a full kill chain mapped to MITRE ATT&CK.
The Exercises
The lab comes with 16 guided exercises covering the full spectrum of security operations:
Getting Started
- Onboarding — Set up your workspace and deploy the lab in under 30 minutes
- Exercise 1 — Explore your data with Advanced Hunting and create your first detection rule
- Exercise 2 — Enable Microsoft Defender Threat Intelligence and query IOCs
- Exercise 3 — Visualise your detection coverage on the MITRE ATT&CK matrix
- Exercise 4 — Automate incident enrichment with automation rules
Detection Engineering
- Exercise 5 — Cross-platform device isolation (CrowdStrike alert → MDE response)
- Exercise 6 — Tune port scan detection thresholds
- Exercise 7 — Detect Okta MFA factor manipulation
- Exercise 8 — Enrich detections with watchlists
Operations & Cost Management
- Exercise 9 — Monitor ingestion costs and configure threshold policies
- Exercise 10 — Manage table tiers and retention settings
Data Lake
- Exercise 11 — Create KQL jobs to aggregate data lake telemetry
- Exercise 12 — Compare real-time vs data lake detection approaches
- Exercise 13 — Interactive Jupyter notebook investigations
Advanced
- Exercise 14 — 10 AI-powered prompts demonstrating the Sentinel MCP Server
- Exercise 15 — Federate external data from ADLS Gen2
- Exercise 16 — Split transformation to route data between Analytics and data Lake tiers
What Makes This Different?
|
Feature |
What it means for you |
|
One-click deployment |
Deploy to Azure button — no manual configuration |
|
Realistic multi-source data |
Six security products generating correlated incidents |
|
22 detection rules |
Pre-built rules that fire real XDR incidents with entity mapping |
|
MITRE ATT&CK coverage |
10 tactics covered across the attack chain |
|
Data lake exercises |
KQL jobs, notebooks, federation, and split transformations |
|
MCP Server prompts |
AI-powered investigation with GitHub Copilot |
|
Cost management |
Threshold policies and tier optimisation guidance
|
Getting Started
Ready to try it? Here’s all you need:
- An Azure subscription (free trial works)
- Owner or Contributor role on the subscription
- A Microsoft Sentinel workspace onboarded to Defender XDR
Then head to the repo, follow the Onboarding guide and click Deploy to Azure:
The deployment takes about 30 minutes. After that, your workspace will have ingested data, detection rules firing incidents, and all 16 exercises ready to go.
Open Source & Community
The entire lab is open source under the Azure/Azure-Sentinel repository. Contributions, feedback, and ideas are welcome. If you find something that could be better, open an issue or submit a PR.
We built this lab because we believe the best way to learn security operations is by doing. We hope it helps you — whether you’re defending your first tenant or your hundredth.
Get started now - github.com/Azure/Azure-Sentinel/Tools/Microsoft-Sentinel-Training-Lab
Microsoft