Merge pull request #51105 from KenMAG/main

Adding new unit with a simulation exercise

Author: JillGrant615

learn-pr/wwl-sci/.openpublishing.redirection.wwl-sci.json

@@ -372,6 +372,11 @@
         "redirect_url": "https://learn.microsoft.com/training/modules/connect-threat-indicators-to-azure-sentinel/9-summary-resources/",
         "redirect_document_id": false
       },
+      {
+        "source_path_from_root": "/learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/6-summary.yml",
+        "redirect_url": "https://learn.microsoft.com/training/modules/configure-siem-security-operations-using-microsoft-sentinel/7-summary/",
+        "redirect_document_id": false
+      },
     {
       "source_path": "learn-pr/wwl-azure/purview-implement-manage-retention/auto-apply-retention-label.md",
       "redirect_url": "/training/modules/purview-manage-records/auto-apply-retention-label",

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/1-introduction.yml

@@ -4,8 +4,8 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Configure a Security Information and Event Management (SIEM) for Security Operations using Microsoft Sentinel."
-  ms.date: 10/3/2023
-  author: wwlpublish
+  ms.date: 06/25/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 durationInMinutes: 5

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/6-exercise.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs-simulation.exercise
+title: Exercise - Connect Microsoft Sentinel to Microsoft Defender XDR
+metadata:
+  title: Exercise - Connect Microsoft Sentinel to Microsoft Defender XDR
+  description: "Run a simulation exercise to connect a Microsoft Sentinel workspace to the Microsoft Defender portal."
+  ms.date: 6/25/2025
+  author: KenMAG
+  ms.author: kelawson
+  ms.topic: unit
+durationInMinutes: 15
+content: |
+  [!include[](includes/6-exercise.md)]

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/6-summary.yml renamed to learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/7-summary.yml

@@ -4,10 +4,10 @@ title: Summary
 metadata:
   title: Summary
   description: "Provides a summary of configuring a Security information and event management (SIEM) for Security Operations using Microsoft Sentinel."
-  ms.date: 04/01/2025
-  author: wwlpublish
+  ms.date: 06/25/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 durationInMinutes: 5
 content: |
-  [!include[](includes/6-summary.md)]
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/includes/1-introduction.md

@@ -8,3 +8,4 @@ After completing this module, you'll be able to:
 - Deploy Microsoft Sentinel Content Hub solutions and data connectors
 - Configure Microsoft Sentinel Data Collection rules, NRT Analytic rule and Automation
 - Perform a simulated attack to validate Analytic and Automation rules
+- Connect Microsoft Sentinel to Microsoft Defender XDR.

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/includes/6-exercise.md

@@ -0,0 +1,94 @@
+You're a Security Operations Analyst working at a company that deployed both Microsoft Defender XDR and Microsoft Sentinel. You need to prepare for the Unified Security Operations Platform connecting Microsoft Sentinel to Defender XDR. 
+
+In this exercise, you perform the following tasks:
+
+- Install the Microsoft Defender XDR Content Hub solution.
+- Deploy the Microsoft Sentinel connector to connect Microsoft Sentinel to Microsoft Defender XDR.
+- Connect Microsoft Sentinel to Microsoft Defender XDR.
+- Explore the Microsoft Sentinel capabilities in the Microsoft Defender XDR portal.
+
+> [!NOTE]
+>The environment for this exercise is a simulation generated from the product. As a limited simulation, links on a page may not be enabled and text-based inputs that fall outside of the specified script may not be supported. A pop-up message displays stating, "This feature isn't available within the simulation." When this occurs, select OK and continue the exercise steps.
+>
+>
+>:::image type="content" source="../media/simulation-pop-up-error.png" alt-text="Screenshot of pop-up screen indicating that this feature isn't available within the simulation.":::
+
+### Task 1: Connect Defender XDR
+
+In this task, you deploy the Microsoft Defender XDR connector.
+
+1. In the Microsoft Edge browser, open the simulated environment by selecting this link: **[Azure portal]( https://app.highlights.guide/start/1c894b46-4b0a-40cb-b0f0-1e1c86c615f3?token=16d48b6c-eace-4a1f-8050-098d29d23a89)**.
+
+1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
+
+1. On the *Microsoft Sentinel* page, select the **Woodgrove-LogAnalyiticWorkspace** Workspace.
+
+1. In the Microsoft Sentinel navigation menu, scroll down to and expand the **Content management** section. Then select **Content Hub**.
+
+1. In the *Content hub*, search for the **Microsoft Defender XDR** solution and select it from the list.
+
+1. On the *Microsoft Defender XDR* solution details page, select **Install**.
+
+1. When the installation completes,  search for the **Microsoft Defender XDR** solution and select it.
+
+1. On the *Microsoft Defender XDR* solution details page, select **Manage**
+
+1. Select the *Microsoft Defender XDR* Data connector check-box, and select **Open connector page**.
+
+1. In the *Configuration* section, under the *Instructions* tab, select the **Connect incidents & alerts** button.
+
+1. You should see a message that the connection was successful.
+
+### Task 2: Connect Microsoft Sentinel and Microsoft Defender XDR
+
+In this task, you continue with the simulation and connect a Microsoft Sentinel workspace to Microsoft Defender XDR.
+
+1. Navigate back to the Microsoft Sentinel *Content Hub* (using the "breadcrumb" menu link at the top of the page), and select **Overview (Preview)** from the navigation menu General section.
+
+1. Select the **Learn more** button on the *Get your SIEM and XDR in one place* message.
+
+    :::image type="content" source="../media/siem-xdr-learn-more.png" alt-text="Screen capture of SIEM and XDR Learn more button message." lightbox="../media/siem-xdr-learn-more.png":::
+
+1. Selecting the **Learn more** button opens a new tab in the browser for the *Microsoft Defender XDR* portal.
+
+1. On the **Defender Defender** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspaces** button.
+
+    :::image type="content" source="../media/siem-xdr-connect-workspace.png" alt-text="Screen capture of Defender XDR Connect a workspace button." lightbox="../media/siem-xdr-connect-workspace.png":::
+
+1. On the *Choose a workspace* page, select the **woodgrove-loganalyiticsworkspace** Microsoft Sentinel workspace.
+
+1. Select the **Next** button.
+
+1. On the **Set a primary workspace** page, you should see the **woodgrove-loganalyiticsworkspace** Microsoft Sentinel workspace in the drop-down menu. Select the **Next** button.
+
+1. On the *Review and finish* page, verify that the *Workspace* selection is correct and review the bulleted items under the *What to expect when the workspace is connected* section. Select the **Connect** button.
+
+1. You should see a *You're about to connect a workspace* message. Select the **Connect** button.
+
+1. You should now be on the *Workspace successfully connected* page.
+
+1. Select the **Close** button.
+
+    :::image type="content" source="../media/successfully-connected-close-button.png" alt-text="Screen capture of the Defender XDR workspace successfully connected page." lightbox="../media/successfully-connected-close-button.png":::
+
+1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Your unified SIEM and XDR is ready*. Select the **Start Hunting** button.
+
+1. In *Advanced hunting*, you should see a message to "Explore your content from Microsoft Sentinel". In the *Advanced hunting* navigation menu, you can find the *Microsoft Sentinel* tables, functions, and queries under the corresponding tabs.
+
+1. Scroll down under the **Schema** tab to the **Microsoft Sentinel** heading, and then double-click the **ThreatIntelligenceIndicator** table.
+
+1. In the *Query* pane, you should see a (KQL) query that returns threat intelligence indicators. Select the **Run query** button.
+
+    :::image type="content" source="../media/advanced-hunting-sentinel-query.png" alt-text="Screen capture of Defender XDR Sentinel Advanced hunting tables." lightbox="../media/advanced-hunting-sentinel-query.png":::
+
+1. Expand the left main menu pane if collapsed and  expand the new **Microsoft Sentinel** menu items. You should see *Search*, *Threat management*, *Content management*, and *Configuration* selections.
+
+    > [!NOTE]
+    > Be aware that there are capability differences between the Azure Microsoft Sentinel portal and Sentinel in the Microsoft Defender XDR portal **[Portal capability differences](/azure/sentinel/microsoft-sentinel-defender-portal#capability-differences-between-portals)**.
+
+1. From the Microsoft Defender XDR **Microsoft Sentinel** menu items, then select **Configuration** and then **Data connectors**.
+
+1. In the *Data connectors* page, you should see the **Azure Activity** and other data connectors listed with a status of **Connected**.
+
+> [!NOTE]
+> Feel free to explore and compare the other Microsoft Sentinel capabilities, but as this is a simulation, your ability to explore Microsoft Sentinel in the Microsoft Defender portal is limited. In a real environment, you would be able to explore the full Microsoft Sentinel capabilities in the Microsoft Defender portal.

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/includes/6-summary.md renamed to learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/includes/7-summary.md

@@ -1,18 +1,21 @@
-You should have learned how data is sent to the Microsoft Sentinel workspace by configuring the provided data connectors.  And how the included data connectors are for Microsoft 365 services, Azure, and third-party specific.
+You learned how data is sent to the Microsoft Sentinel workspace by configuring the provided data connectors.  And how the included data connectors are for Microsoft 365 services, Azure, and third-party specific.
 
 You should now be able to:
 
 - Explain the use of data connectors in Microsoft Sentinel
 - Understand how data connectors are installed from Microsoft Sentinel Content Hub Solutions
 - Describe the Microsoft Sentinel data connector providers
 - Explain the Common Event Format and Syslog connector differences in Microsoft Sentinel
+- Connect Microsoft Defender XDR with Microsoft Sentinel
 
 ## Learn more
 
 You can learn more by reviewing the following.
 
 [Deploy and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy)
 
+[Connect Microsoft Sentinel to Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard)
+
 [Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310?azure-portal=true)
 
 [Microsoft Tech Community Security Webinars](https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888?azure-portal=true)

learn-pr/wwl-sci/configure-siem-security-operations-using-microsoft-sentinel/index.yml

@@ -3,8 +3,8 @@ uid: learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs
 metadata:
   title: Configure SIEM security operations using Microsoft Sentinel
   description: "Configure security information and event management (SIEM) security operations using Microsoft Sentinel."
-  ms.date: 04/01/2025
-  author: wwlpublish
+  ms.date: 06/25/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module-guided-project 
   ms.service: microsoft-sentinel
@@ -15,12 +15,15 @@ abstract: |
   Upon completion of this module, the learner is able to:
   - Create and configure a Microsoft Sentinel workspace
   - Deploy Microsoft Sentinel Content Hub solutions and data connectors
-  - Configure Microsoft Sentinel Data Collection rules, NRT Analytic rule and Automation
+  - Configure Microsoft Sentinel Data Collection rules, NRT Analytic rule, and Automation
   - Perform a simulated attack to validate Analytic and Automation rules
+  - Run a simulation exercise to connect a Microsoft Sentinel workspace to the Microsoft Defender portal
 prerequisites: |
+  - An Azure subscription
   - Basic experience with Azure services
   - Basic knowledge of operational concepts, such as monitoring, logging, and alerting
-  - An Azure subscription
+  - Basic experience with Microsoft Defender
+  - Familiarity with security operations concepts, such as incident response and threat detection
 iconUrl: /learn/achievements/generic-badge.svg
 levels: 
   - intermediate
@@ -30,6 +33,7 @@ products:
 - azure
 - microsoft-sentinel
 - azure-log-analytics
+- microsoft-defender
 subjects: 
   - threat-protection
   - cloud-security
@@ -39,6 +43,7 @@ units:
 - learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs-deploy.exercise
 - learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs-validate.exercise
 - learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs-perform.exercise
+- learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs-simulation.exercise
 - learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs.summary
 badge:
   uid: learn.wwl.configure-siem-security-operations-using-microsoft-sentinel-labs.badge