Get Started Free

Module 5: Designing & Configuring a Sentinel Workspace

90 minutes · Manage a Security Operations Environment (20-25%)

Sentinel is where your detection engineering, automation, and hunting happen. Every analytics rule, every playbook, every workbook, and every threat hunt you build in Modules 10, 23-28 runs on the workspace you configure here.

This module covers the decisions that are hard to change later — workspace architecture, log tier assignments, retention policies, and cost controls. Get these right now and you avoid expensive rework when your ingestion doubles in six months.

SENTINEL ARCHITECTURE — WHAT YOU ARE BUILDING IN THIS MODULEMicrosoft SentinelAnalytics Rules · Incidents · Automation · Hunting · WorkbooksLog Analytics WorkspaceTables · Retention · Log Tiers (Analytics / Basic / Archive)M365 DefenderEntra IDAzure ActivityThird-Party / Syslog
Prerequisites

You need an Azure subscription connected to your M365 tenant. If you set up the developer tenant in Module 1.11, connect an Azure free subscription to it now — Step 4 in those instructions. The free tier includes 5 GB/day of Sentinel ingestion, which is sufficient for all lab exercises in this module.

Sections in this module

5.1 What Sentinel Is and When You Need It

5.2 Workspace Architecture Decisions

5.3 Creating Your First Workspace

5.4 Log Types: Analytics vs Basic vs Archive

5.5 Cost Management and Optimization

5.6 Enabling the M365 Defender Connector

5.7 Enabling the Entra ID Connector

5.8 Content Hub and Solutions

5.9 Workspace Health and Monitoring

5.10 Module Assessment

Start: 5.1 What Sentinel Is and When You Need It →