SC-200 All Labs Updates #489
Open
v-absamim wants to merge 1 commit intoMicrosoftLearning:SentinelStaticPOCfrom
Open
SC-200 All Labs Updates #489v-absamim wants to merge 1 commit intoMicrosoftLearning:SentinelStaticPOCfrom
v-absamim wants to merge 1 commit intoMicrosoftLearning:SentinelStaticPOCfrom
Conversation
…nelStaticPOC Merge pull request MicrosoftLearning#485 from MicrosoftLearning/master
There was a problem hiding this comment.
Pull request overview
This PR updates SC-200 lab instruction markdown to improve consistency and accuracy, largely by standardizing navigation and terminology around using Microsoft Defender XDR (and Sentinel-in-Defender) and removing legacy/duplicated lab variants.
Changes:
- Replaced several legacy Azure-portal-based lab files with Defender-XDR-aligned equivalents (new
*_Defender.mdfiles; old files removed). - Updated step-by-step navigation, UI labels, and sign-in guidance (including TAP notes) for current portal experiences.
- Fixed assorted typos/grammar and minor formatting consistency issues across multiple labs.
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| Instructions/Labs/LAB_AK_10_Lab1_Ex02_Notebooks_Defender.md | New Defender XDR-based notebook hunting exercise (VS Code + extensions + MCP flow). |
| Instructions/Labs/LAB_AK_10_Lab1_Ex02_Notebooks.md | Removed legacy notebook lab variant. |
| Instructions/Labs/LAB_AK_10_Lab1_Ex01_Hunting_Defender.md | New Defender XDR-based threat hunting lab (Arc connect, advanced hunting, data lake job flow). |
| Instructions/Labs/LAB_AK_10_Lab1_Ex01_Hunting.md | Removed legacy hunting lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex10_Content_Management_Defender.md | New/renamed Defender XDR-based “Repositories” lab (Azure DevOps steps + cleanup). |
| Instructions/Labs/LAB_AK_09_Lab1_Ex11_Content_Management.md | Removed legacy “Repositories” lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex09_Workbooks_Defender.md | New Defender XDR-based workbooks lab with updated UI steps. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex10_Workbooks.md | Removed legacy workbooks lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex08_ASIM_Defender.md | New Defender XDR-based ASIM parsers lab using Advanced hunting > Functions. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex09_ASIM.md | Removed legacy ASIM parsers lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex07_Investigate_Defender.md | Updated investigation lab to current incident UX (Manage incident, tasks, activity log, etc.). |
| Instructions/Labs/LAB_AK_09_Lab1_Ex06_Detections_Defender.md | Updated detections lab for Defender XDR advanced hunting + “Create detection rule” flow. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex05_Perform_Attacks_Defender.md | Updated attack execution lab for credential wording and exercise numbering. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex04_Attacks_Defender.md | Updated “prepare attacks” lab with shared-environment guidance and Arc reconnection checks. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex03_Entity_Behavior_Defender.md | New Defender XDR-based UEBA/anomalies lab under Sentinel settings. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex04_Entity_Behavior.md | Removed legacy UEBA lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex02_Scheduled_Query_Defender.md | New Defender XDR-based scheduled query lab (templates + test via Azure portal activity). |
| Instructions/Labs/LAB_AK_09_Lab1_Ex03_Scheduled_Query.md | Removed legacy scheduled query lab variant. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex01_Playbook_Defender.md | Updated playbook lab to Sentinel-in-Defender navigation + revised RG guidance. |
| Instructions/Labs/LAB_AK_09_Lab1_Ex01_Security_Rule.md | Removed legacy “Modify a Microsoft Security rule” lab variant. |
| Instructions/Labs/LAB_AK_08_Lab1_Ex04_Connect_Defender_XDR.md | Updated simulation steps/labels and Defender XDR portal instructions. |
| Instructions/Labs/LAB_AK_08_Lab1_Ex03_Connect_Linux_Defender.md | Updated Linux connector flow to Sentinel-in-Defender and revised DCR naming guidance. |
| Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows_Defender.md | Updated Windows connector flow and shared-environment guidance (unique RG/VM naming). |
| Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services_Defender.md | New Defender XDR-based “connect services” lab (Content hub + connectors). |
| Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services.md | Removed legacy “connect services” lab variant. |
| Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel_Defender.md | New Sentinel setup lab aligned to Defender XDR/Sentinel-in-Defender experience. |
| Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel.md | Removed legacy Sentinel deployment lab variant. |
| Instructions/Labs/LAB_AK_05_Lab1_Ex02_Explore_MDC.md | Updated wording/formatting, Azure portal navigation, and UI label consistency. |
| Instructions/Labs/LAB_AK_05_Lab1_Ex01_Enable_MDC.md | Updated sign-in language and minor formatting/label fixes. |
| Instructions/Labs/LAB_AK_04_Lab1_Ex02_Mitigate_Attacks.md | Updated Defender XDR portal wording and UI label formatting consistency. |
| Instructions/Labs/LAB_AK_04_Lab1_Ex01_Deploy_Defender_Endpoint.md | Updated onboarding package naming and portal navigation section labels. |
| Instructions/Labs/LAB_AK_03_Lab1_Ex01_Explore_Purview_Audit.md | Fixed typo and updated navigation (Operational technology > More resources). |
| Instructions/Labs/LAB_AK_02_Lab1_Ex01_Explore_Copilot_Security.md | Improved flow/clarity for plugin/promptbook exploration and minor wording fixes. |
| Instructions/Labs/LAB_AK_01_Lab1_Ex01_Explore_Defender_XDR.md | Updated sign-in phrasing and UI label formatting; minor typo cleanup. |
Comments suppressed due to low confidence (2)
Instructions/Labs/LAB_AK_09_Lab1_Ex06_Detections_Defender.md:31
- The workspace name in this note conflicts with the rest of the Defender-XDR-based labs (which reference sentinelworkspace-01). Using defenderWorkspace here is likely to confuse learners when selecting the workspace in Defender XDR.
Instructions/Labs/LAB_AK_09_Lab1_Ex07_Investigate_Defender.md:87 - These steps appear to be leftover from an older incident UI flow and duplicate the earlier "Assign to me" action (already done in Manage incident). Consider removing/replacing them with the current Defender XDR incident UI steps to avoid conflicting guidance.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| 1. In the *Destination table in Analytics tier* section, select the **SentinelWorkspace-01** workspace from the *Destination workspace* drop-down menu. | ||
|
|
||
| >**Note:** The *_KQL_CL* is the custom log default appendice. |
There was a problem hiding this comment.
Typo: "appendice" should be "appendix" (or rephrase to "suffix" if that’s what you mean).
|
|
||
| >**Note:** The *_KQL_CL* is the custom log default appendice. | ||
|
|
||
| 1. Leave the *Create a new table* radio button selected, and enter **C2ATTACKHUNT** for for the new table name. |
There was a problem hiding this comment.
Duplicate word: "for for" should be reduced to a single "for".
|
|
||
| 1. Enter a name for your job in the *Job name* field. | ||
|
|
||
| 1. In the *Destination table in Analytics tier* section, select the **SentinelWorkspace-01** workspace from the *Destination workspace* drop-down menu. |
There was a problem hiding this comment.
The workspace name casing differs within this file (earlier references sentinelworkspace-01, but here it says SentinelWorkspace-01). Please standardize the workspace name to match what learners will actually see/select.
| 1. Selecting the **Learn more** button opens a new tab in the browser for the *Microsoft Defender XDR* portal. | ||
|
|
||
| 1. On the **Defender Defender** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspaces** button. | ||
| 1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspaces** button. |
There was a problem hiding this comment.
Grammar: the UI button label should be singular ("Connect a workspace"), not "Connect a workspaces".
Suggested change
| 1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspaces** button. | |
| 1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspace** button. |
|
|
||
| 1. The page should show the Files for the Repo. The only file is README.md. | ||
|
|
||
| 1. On the Files (right side of the page) pane, Contents tab, the toolbar include options *Set up build*, *Clone*, and three vertical dots (*More options*). Select the three vertical dots to show *More options*. |
There was a problem hiding this comment.
Grammar agreement: "the toolbar include options" should be "the toolbar includes options".
Suggested change
| 1. On the Files (right side of the page) pane, Contents tab, the toolbar include options *Set up build*, *Clone*, and three vertical dots (*More options*). Select the three vertical dots to show *More options*. | |
| 1. On the Files (right side of the page) pane, Contents tab, the toolbar includes options *Set up build*, *Clone*, and three vertical dots (*More options*). Select the three vertical dots to show *More options*. |
| 1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Your unified SIEM and XDR is ready*. Select the **Start Hunting** button. | ||
|
|
||
| 1. In *Advanced hunting*, you should see a message to "Explore your content from Microsoft Sentinel". In the *Advanced hunting* navigation menu, you can find the *Microsoft Sentinel* tables, functions, and queries under the corresponding tabs. | ||
| 1. In the **Advanced hunting** navigation menu, you should see a message to "Explore your content from Microsoft Sentinel". you can find the Microsoft Sentinel tables, functions, and queries under the corresponding tabs. |
There was a problem hiding this comment.
Sentence starts mid-sentence after a period ("...". you can find ...). Capitalize "You" to keep grammar consistent.
Suggested change
| 1. In the **Advanced hunting** navigation menu, you should see a message to "Explore your content from Microsoft Sentinel". you can find the Microsoft Sentinel tables, functions, and queries under the corresponding tabs. | |
| 1. In the **Advanced hunting** navigation menu, you should see a message to "Explore your content from Microsoft Sentinel". You can find the Microsoft Sentinel tables, functions, and queries under the corresponding tabs. |
|
|
||
| 1. Select **Notepad** and then select **OK**. | ||
|
|
||
| 1. Review the Azure Resource Manager template and the close it when done. |
There was a problem hiding this comment.
Grammar: "and the close it" should be "and then close it".
Suggested change
| 1. Review the Azure Resource Manager template and the close it when done. | |
| 1. Review the Azure Resource Manager template and then close it when done. |
|
|
||
| 1. Within the search bar of Extensions, search for *Python*, and select **Install**. | ||
|
|
||
| 1. Within the search bar of Extensions, search for *Jupyter Notebooks*, If not already installed, select **Install**. |
There was a problem hiding this comment.
Minor grammar/punctuation: this clause should start with lowercase "if" after the comma (", if not already installed, ...").
| 1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. | ||
|
|
||
| >**Note:** If you receive a message "The operation could not be completed. Please try again later. If the problem persists, contact Microsoft support." just click **OK** to continue. | ||
| >**Note:** You may be prompted to enter the *Temporary Access Pass* (TAP) instead of a password.. |
There was a problem hiding this comment.
There is an extra period at the end of this sentence ("password.."). Remove one period.
Suggested change
| >**Note:** You may be prompted to enter the *Temporary Access Pass* (TAP) instead of a password.. | |
| >**Note:** You may be prompted to enter the *Temporary Access Pass* (TAP) instead of a password. |
|
|
||
| In this task, you'll create a Data lake KQL job to look for a C2 attack. | ||
|
|
||
| >**Note:**: The *KQL job* feature allows you to run KQL queries on your data lake and create a job that will continuously monitor for specific patterns or anomalies. |
There was a problem hiding this comment.
There is an extra colon after the Note label ("Note::") which renders oddly in Markdown. Remove the extra ':' so the admonition formats consistently.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request focuses on improving clarity, consistency, and accuracy across several lab instruction files. The changes mainly standardize terminology, update navigation steps, clarify instructions, and fix minor typos. Below are the most important updates grouped by theme:
Clarity and Consistency Improvements:
Instructional Accuracy and Navigation Updates:
Minor Corrections and Typos:
Additional Notes:
These changes collectively enhance the usability and accuracy of the lab instructions, making them easier for learners to follow and reducing potential confusion.ue" (or same name as linked Issue)**
Related Issue
Link related Github Issue 🢂 Fixes # . (Include issue number after #)
Checklist
Mark completed with "x" between brackets, "[x]", or checking the box once the PR is created:
Changes proposed in this pull request: