Added hunting exercise and added notes on labs being standalone now

Allfiles/Bicep/Readme.md

@@ -7,13 +7,13 @@ Use to pre-install Microsoft Sentinel and Content Hub Solutions from WIN1.
 1. Create a *Resource Group* for the deployment.
 
     ```azurecli
-     az group create --location eastus --resource-group defender-RG
+     az group create --location eastus --resource-group Defender-RG
     ```
 
 1. Deploy the Bicep template.
 
     ```azurecli
-    az deployment group create --name testDeploy --template-file .\sentinel.bicep --parameters .\sentinelParams.bicepparam --resource-group defender-RG
+    az deployment group create --name testDeploy --template-file .\sentinel.bicep --parameters .\sentinelParams.bicepparam --resource-group Defender-RG
     ```
 
 ### Additional Information

Allfiles/Bicep/sentinelParams.bicepparam

@@ -1,6 +1,6 @@
 using './Sentinel.bicep'
 
-param workspaceName = 'defenderworkspace'
+param workspaceName = 'defenderWorkspace'
 param retentionInDays = 90
 param contentSolutions = [
   'Microsoft Defender For Cloud'

Instructions/Labs/LAB_AK_04_Lab1_Ex01_Deploy_Defender_Endpoint.md

@@ -14,7 +14,7 @@ You're a Security Operations Analyst working at a company that is implementing M
 
 You start by initializing the Defender for Endpoint environment. Next, you onboard the initial devices for your deployment by running the onboarding script on the devices. You configure security for the environment. Lastly, you create Device groups and assign the appropriate devices.
 
->**Important:**  The lab Virtual Machines are used through different modules. SAVE your virtual machines. If you exit the lab without saving, you will be required to re-run some configurations again.
+>**Important:** The lab Virtual Machines are used through different modules. SAVE your virtual machines. If you exit the lab without saving, you will be required to re-run some configurations again.
 
 >**Note:** Make sure you have completed successfully Task 3 of the first module.
 

Instructions/Labs/LAB_AK_05_Lab1_Ex01_Enable_MDC.md

@@ -10,6 +10,8 @@ lab:
 
 You're a Security Operations Analyst working at a company that is implementing cloud workload protections with Microsoft Defender for Cloud. In this lab, you enable Microsoft Defender for Cloud.
 
+>**Important:** The lab exercises for Learning Path #5 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 15 minutes
 
 ### Task 1: Enable Microsoft Defender for Cloud
@@ -28,7 +30,9 @@ In this task, you'll enable and configure Microsoft Defender for Cloud.
 
 1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**.
 
-1. In the left navigation menu for Microsoft Defender for Cloud, expand the Management section , and select **Environment settings**.
+1. In the left navigation menu for Microsoft Defender for Cloud, expand the *Management* section , and select **Environment settings**.
+
+1. Select the **Expand all** button to view all subscriptions and resources.
 
 1. Select the **MOC Subscription-lodxxxxxxxx** subscription (or equivalent name in your Language).
 
@@ -38,17 +42,19 @@ In this task, you'll enable and configure Microsoft Defender for Cloud.
 
 1. Select the **Settings & monitoring** tab from the Settings area (next to Save).
 
-1. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts. Close the "Settings & monitoring" page by selecting the 'X' on the upper right of the page.
+1. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts.
+
+1. Select the **Continue** button, or cClose the "Settings & monitoring" page by selecting the 'X' on the upper right of the page.
 
-1. Close the settings page by selecting the 'X' on the upper right of the page to go back to the **Environment settings** and select the '>' to the left of your subscription.
+1. Close the settings page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**.
 
-1. Select the Log analytics workspace you created earlier *uniquenameDefender* to review the available options and pricing.
+<!---1. Select the Log analytics workspace you created earlier *uniquenameDefender* to review the available options and pricing.
 
 1. Select **Enable all plans** (to the right of Select Defender plan) and then select **Save**. Wait for the *"Microsoft Defender plan for workspace uniquenameDefender were saved successfully!"* notification to appear.
 
     >**Note:** If the page is not being displayed, refresh your Edge browser and try again.
 
-1. Close the Defender plans page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**
+1. Close the Defender plans page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**. --->
 
 ### Task 3: Understanding the Microsoft Defender for Cloud Dashboard
 

Instructions/Labs/LAB_AK_05_Lab1_Ex02_Explore_MDC.md

@@ -12,6 +12,8 @@ lab:
 
 You're a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.
 
+>**Important:** The lab exercises for Learning Path #5 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 15 minutes
 
 ### Task 1: Explore Regulatory Compliance

Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel.md

@@ -10,6 +10,10 @@ lab:
 
 You are a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You are responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities.
 
+>**Important:** The lab exercises for Learning Path #7 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
+### Estimated time to complete this lab: 30 minutes
+
 ### Task 1 - Create a Log Analytics workspace
 
 Create a Log Analytics workspace, including region option. Learn more about [onboarding Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/quickstart-onboard).
@@ -32,9 +36,9 @@ Create a Log Analytics workspace, including region option. Learn more about [onb
 
 1. Select **Create new** for the Resource group.
 
-1. Enter *RG-Defender* and select **Ok**.
+1. Enter *Defender-RG* and select **Ok**.
 
-1. For the Name, enter something unique like: *uniquenameDefender*.
+1. For the Name, enter *defenderWorkspace*.
 
 1. You can leave the default region for the workspace.
 

Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services.md

@@ -12,6 +12,10 @@ lab:
 
 You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The organization has data from Microsoft 365, Microsoft 365 Defender, Azure resources, non-azure virtual machines, etc. You start connecting the Microsoft sources first.
 
+>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
+### Estimated time to complete this lab: 20 minutes
+
 ### Task 1: Access the Microsoft Sentinel Workspace
 
 In this task, you will access your Microsoft Sentinel workspace.

Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md

@@ -12,6 +12,8 @@ lab:
 
 You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data is Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds.
 
+>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Create a Windows Virtual Machine in Azure

Instructions/Labs/LAB_AK_08_Lab1_Ex03_Connect_Linux.md

@@ -12,6 +12,8 @@ lab:
 
 You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data are Linux virtual machines using the Common Event Formatting (CEF) via Legacy Agent and Syslog connectors.
 
+>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 >**Important:** There are steps within the next Tasks that are done in different virtual machines. Look for the Virtual Machine name references.

Instructions/Labs/LAB_AK_09_Lab1_Ex01_Security_Rule.md

@@ -12,6 +12,8 @@ lab:
 
 You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. First, you need to filter the alerts coming from Defender for Cloud into Microsoft Sentinel, by Severity.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 10 minutes
 
 ### Task 1: Activate a Microsoft Security Rule
@@ -28,7 +30,7 @@ In this task, you will activate a Microsoft Security rule.
 
 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
 
-1. Select your Microsoft Sentinel Workspace you created in the previous labs.
+1. Select the Microsoft Sentinel Workspace provided.
 
 1. Select **Analytics** from the Configuration area.
 

Instructions/Labs/LAB_AK_09_Lab1_Ex02_Playbook.md

@@ -12,6 +12,8 @@ You're a Security Operations Analyst working at a company that implemented Micro
 
 With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Task 1: Create a Playbook in Microsoft Sentinel
 
 In this task, you'll create a Logic App that is used as a Playbook in Microsoft Sentinel.

Instructions/Labs/LAB_AK_09_Lab1_Ex03_Scheduled_Query.md

@@ -12,6 +12,8 @@ You're a Security Operations Analyst working at a company that implemented Micro
 
 Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Create a Scheduled Query

Instructions/Labs/LAB_AK_09_Lab1_Ex04_Entity_Behavior.md

@@ -12,6 +12,8 @@ You are a Security Operations Analyst working at a company that implemented Micr
 
 You need to configure Microsoft Sentinel to perform Entity Behavior Analytics to discover anomalies and provide entity analytic pages.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 15 minutes
 
 ### Task 1: Explore Entity Behavior
@@ -28,7 +30,7 @@ In this task, you will explore Entity behavior analytics in Microsoft Sentinel.
 
 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
 
-1. Select your Microsoft Sentinel Workspace you created earlier.
+1. Select your Microsoft Sentinel Workspace.
 
 1. Select the **Entity behavior** page.
 

Instructions/Labs/LAB_AK_09_Lab1_Ex06_Perform_Attacks.md

@@ -12,6 +12,8 @@ lab:
 
 You are going to simulate the attacks that you will later use to detect and investigate in Microsoft Sentinel.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Persistence Attack with Registry Key Add

Instructions/Labs/LAB_AK_09_Lab1_Ex07_Detections.md

@@ -14,6 +14,8 @@ You are a Security Operations Analyst working at a company that implemented Micr
 
 Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Persistence Attack Detection
@@ -32,7 +34,7 @@ In this task, you will create a detection for the first attack of the previous e
 
 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
 
-1. Select your Microsoft Sentinel Workspace you created earlier.
+1. Select your Microsoft Sentinel Workspace.
 
 1. Select **Logs** from the *General* section.
 

Instructions/Labs/LAB_AK_09_Lab1_Ex08_Investigate.md

@@ -14,6 +14,8 @@ You are a Security Operations Analyst working at a company that implemented Micr
 
 An incident can include multiple alerts. It is an aggregation of all the relevant evidence for a specific investigation. The properties related to the alerts, such as severity and status, are set at the incident level. After you let Microsoft Sentinel know what kinds of threats you are looking for and how to find them, you can monitor detected threats by investigating incidents.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Investigate an incident
@@ -30,7 +32,7 @@ In this task, you will investigate an incident.
 
 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
 
-1. Select your Microsoft Sentinel Workspace you created earlier.
+1. Select your Microsoft Sentinel Workspace.
 
 1. Select the **Incidents** page.
 

Instructions/Labs/LAB_AK_09_Lab1_Ex09_ASIM.md

@@ -12,6 +12,8 @@ lab:
 
 You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These parsers will be finalized at a later time following the [Advanced Security Information Model (ASIM) Registry Event normalization schema reference](https://docs.microsoft.com/azure/sentinel/registry-event-normalization-schema).
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Deploy the Registry Schema ASIM parsers
@@ -28,7 +30,7 @@ In this task, you'll review the Registry Schema parsers that are included with t
 
 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
 
-1. Select your Microsoft Sentinel Workspace you created earlier.
+1. Select your Microsoft Sentinel Workspace.
 
 <!--- 1. In the Edge browser, open a new tab (Ctrl+T) and navigate to the Microsoft Sentinel GitHub ASIM page <https://github.com/Azure/Azure-Sentinel/tree/master/ASIM>.
 

Instructions/Labs/LAB_AK_09_Lab1_Ex10_Workbooks.md

@@ -14,6 +14,8 @@ You are a Security Operations Analyst working at a company that implemented Micr
 
 Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Explore workbook templates

Instructions/Labs/LAB_AK_09_Lab1_Ex11_Content_Management.md

@@ -10,6 +10,8 @@ lab:
 
 You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You already created Scheduled and Microsoft Security Analytics rules.  You need to centralize analytical rules in an Azure DevOps repository.  Then connect Sentinel to the Azure DevOps repository and import the content. 
 
+>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
+
 ### Estimated time to complete this lab: 30 minutes
 
 ### Task 1: Create and export an analytical rule