Task overview

You are a Security Operations Architect working at a company that is implementing Microsoft Sentinel. You are responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities. You first task is to deploy a Microsoft Sentinel workspace. The solution must meet the following requirements:

  • Ensure Sentinel data is stored in the West US Azure region.
  • Ensure that all Sentinel analytics logs are retained for 180 days.
  • Assign roles to Operator1 to ensure that Operator1 can manage incidents and run sentinel playbooks. The solution must meet the principle of least privilege.

Exercise instructions

Task 1 - Create a Log Analytics workspace

Create a Log Analytics workspace, including region option. Learn more about onboarding Microsoft Sentinel.

  1. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.
  2. In the Sign in dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select Next.
  3. In the Enter password dialog box, copy, and paste in the admin’s tenant password provided by your lab hosting provider and then select Sign in.
  4. In the Search bar of the Azure portal, type Microsoft Sentinel, then select
  5. Select + Create.
  6. Select Create a new workspace.
  7. Select RG2 as the Resource Group
  8. Enter a unique name for the Log Analytics workspace
  9. Select West US as the region for the workspace.
  10. Select Review + create to validate the new workspace.
  11. Select Create to deploy the workspace.

Task 2 - Deploy Microsoft Sentinel to a workspace

Deploy Microsoft Sentinel to the workspace.

  1. When the workspace deployment completes, select Refresh to display the new workspace.
  2. Select the workspace you want to add Sentinel to (created in Task 1).
  3. Select Add.

Task 3 - Configure data retention

Configure data retention Learn more about data retention.

  1. Go to the Log Analytics workspace created in Task 1 step 5.
  2. Select Usage and estimated costs.
  3. Select Data retention.
  4. Change data retention period to 180 days.
  5. Select OK.

Note: For additional practice complete the Create and manage Microsoft Sentinel workspaces module.