How to Set Up a Microsoft Sentinel Lab

Microsoft Sentinel is Azure’s cloud SIEM (Security Information and Event Management) solution and learning how to set up a Microsoft Sentinel Lab is a crucial step to learning Microsoft Sentinel. In this guide, I’ll walk you through the process of creating your own Microsoft Sentinel Lab within your Azure environment, and the best part is, you can do it for free with a 30-day trial. Please exercise caution, as exceeding the terms and conditions of the 30-day trial may result in possible charges.

Having worked extensively with Microsoft Sentinel, I’ve decommissioned many lab instances and spun up new ones, and each time, I’ve been able to take advantage of that free 30-day trial. Additionally, I’ll demonstrate how to import test data into your lab environment, enabling you to hone your KQL (Kusto Query Language) skills and strengthen your ability to detect and respond to security threats effectively.

By the end of this tutorial, you will have a functioning Microsoft Sentinel lab environment you can use to develop your SIEM skills. Let’s get started!

STEPS

1. Create a free Azure account by following the instructions in the link below.
   • Create Your Azure Free Account Today | Microsoft Azure
2. Login to your Azure account by going to https://portal.azure.com
3. Set up a Log Analytics Workspace (LAW) – This is where your logs are stored for Sentinel to analyze
   • Search for Log Analytics Workspaces in the top search bar and select
   • Select “+ Create”
   • Fill out the following
     • Subscription – Select your subscription
     • Resource group – Pick a resource group you already use or create a new one
     • Name – LAW-SentinelLab
     • Region – Pick a region closest to you or one you are already using
   • Select “Review + Create”
   • Wait for validation
   • Select “Create”
4. Set up Microsoft Sentinel – This is the SIEM
   • Search for Sentinel in the top search bar and select
   • Select “+ Create”
   • Select the LAW you created in step 3
   • Select “Add”
5. Import the “Microsoft Sentinel Training Lab”
   • You should already be in your Microsoft Sentinel Azure resource – If not do the following
     • Search for Sentinel in the top search bar and select
     • Click on the LAW name you setup in step 3
   • Select “Content hub” under “Content management”
   • Search for “Microsoft Sentinel Training Lab”
   • Select “Install”
   • Fill out the following
     • Subscription – Select your subscription
     • Resource group – Pick the resource group you selected in step 3
     • Workspace – LAW-SentinelLab
   • Select “Review + Create”
   • Wait for validation
   • Select “Create”

Check out my following post on how to manage your lab costs in Azure – Cost-Effective Azure Lab Management: Tips and Tricks – Exposing Threats