If you’re looking to learn Microsoft Sentinel hands-on or showcase its capabilities, spinning up a demo lab is easier than you might think. Microsoft offers a 31-day free trial with up to 10TB per day, perfect for testing scenarios without incurring charges. With a few quick steps, you can deploy a fully functional Sentinel lab with built-in cost controls and easy cleanup.
Step-by-Step Guide
1. Start with a Free Azure Subscription
If you don’t already have one, sign up for a free Azure subscription here: Get an Azure Free Account.
2. Create a Resource Group
A resource group will help keep all lab-related resources organized and easy to delete once you’re done. Think of it as a dedicated folder for your lab environment.
3. Set Role-Based Access Control (RBAC)
Assign RBAC roles on the resource group level so everything inside inherits permissions. Recommended roles for demo users: Sentinel Contributor, Sentinel Playbook Operator, Log Analytics Contributor, and Logic Apps Contributor. If you’re assigning access to someone without subscription-level permissions, this step is critical.
4. Add Budget Alerts
Set up a budget alert on the resource group to monitor unexpected costs: How to create a budget in Azure.
5. Create a Log Analytics Workspace
This is where Sentinel will store and analyze logs. Follow this guide: Create a Log Analytics workspace.
6. Set Retention and Daily Cap
Configure retention and set the daily ingestion cap to 10GB to keep usage under control: Configure daily caps.
7. Enable Sentinel on the Workspace
Deploy Sentinel on your workspace: Onboard to Microsoft Sentinel. While you’re at it, enable Auditing and Health Monitoring for better oversight.
8. Enable UEBA (User and Entity Behavior Analytics)
This requires temporary Entra Global Admin access: Enable UEBA.
9. Deploy Featured Solutions from Content Hub
These solutions add prebuilt workbooks, analytic rules, and playbooks: Sentinel Solutions Catalog.
10. Start with Free Data Connectors
Before connecting billable data sources, start with free connectors: Free Data Sources in Sentinel and Configure data connectors.
11. Explore Core Features
Try out analytic rules, automation rules, hunting queries, and dashboards. While notebooks are typically beyond the scope of short-term labs, exploring them is a great next step.
12. Integrate with Microsoft XDR
Connect with Microsoft Defender for Endpoint, Office 365, and Defender for Identity: Integrate with Microsoft 365 Defender.
13. Experiment with Playbooks
Create and test automated workflows: Playbook Recommendations.
14. Configure an Agent-Based Data Collection VM
Spin up an Azure VM and onboard it to Sentinel for event collection: Create data collection rules.
15. Set Up Azure Arc-Based Collection
If you have on-prem devices or non-Azure servers, Azure Arc allows integration: Onboard Arc servers to Sentinel.
16. Test Ingestion Transforms
Explore how to shape data as it arrives in Sentinel: Ingestion Transforms.
17. Experiment with Archival Settings
Understand long-term data storage by adjusting archival settings per table: Configure Data Retention.
18. Practice Restoring Archived Data
Ingest a simple log source, archive it, and practice restoration: Log Plans and Restore Archived Logs.
19. Clean Up Before Your Trial Expires
Delete the resource group to clean up all associated resources in one go. If you want to continue after the trial, you can always start fresh with a new trial subscription.
With this setup, you can confidently explore Sentinel, test integrations, and showcase value without surprise costs or messy cleanup.
Happy hunting!