Module 7: Configure Your Microsoft Sentinel Environment
This is the most important module in the course.
That statement requires justification. The SC-200 exam allocates 40-45% of questions to the “Manage a Security Operations Environment” domain — and configuring the Sentinel workspace is the foundational skill in that domain. Every analytics rule (Module 9), every data connector (Module 8), every threat hunt (Module 10), every automation playbook, every workbook, and every investigation query runs on the workspace you configure here. The decisions you make in this module — workspace architecture, log tier assignments, retention policies, RBAC model, and data connector configuration — determine the capabilities, cost, and effectiveness of everything that follows.
Modules 1-5 taught you to investigate threats using the data in the Defender XDR portal. Module 6 taught you the KQL language to query that data. This module teaches you to build the data platform that stores, retains, and makes that data queryable. Without a properly configured Sentinel workspace, you have KQL skills with nowhere to run them and detection rules with no data to evaluate.
The decisions in this module are hard to change later. Migrating data between workspaces, changing log tier assignments retroactively, and restructuring RBAC after hundreds of analytics rules are deployed is painful and expensive. Get these right now and you avoid rework when your ingestion doubles in six months.
Complete Module 6 (KQL) before starting this module. You need KQL to query workspace health tables, validate data ingestion, and understand the table schemas covered in subsection 7.6. An Azure subscription is required for the hands-on exercises — the free tier provides 5 GB/day ingestion, which is sufficient for lab work. If you set up the M365 developer tenant and Azure subscription in Module 0, you are ready.
What you will be able to do after completing this module
After completing this module, you will be able to explain Sentinel’s architecture and how it differs from traditional SIEM platforms. You will design a workspace architecture that meets your organisation’s requirements for data residency, RBAC, and multi-tenant management. You will create and configure a Sentinel workspace with the correct settings for log tier assignment, data retention, and cost controls. You will understand the three log tiers (Analytics, Basic, Archive) and select the correct tier for each data type based on investigation needs and cost optimisation. You will navigate the key security tables (SecurityAlert, SecurityIncident, SigninLogs, OfficeActivity, DeviceProcessEvents, AzureActivity) and understand their schema for KQL investigation. You will create and use watchlists for KQL enrichment. You will configure threat intelligence ingestion and management. You will integrate Defender XDR with Sentinel through the unified security operations platform. You will deploy Content Hub solutions to accelerate coverage. You will monitor workspace health and data ingestion. And you will configure RBAC and governance for multi-team Sentinel operations.
How this module is structured
7.1 — Microsoft Sentinel: SIEM + SOAR Architecture. What Sentinel is, how it works, and why cloud-native SIEM changes the operational model compared to traditional SIEM platforms like Splunk, QRadar, and ArcSight.
7.2 — Workspace Architecture and Design Decisions. Single vs multi-workspace, regional considerations, tenant boundaries, and the architectural decisions that affect everything downstream.
7.3 — Creating and Configuring a Sentinel Workspace. Hands-on deployment: creating the Log Analytics workspace, enabling Sentinel, configuring initial settings, and validating the deployment.
7.4 — Log Types: Analytics, Basic, and Archive Tiers. The three-tier model that determines query capability, retention, and cost for each table. The most impactful cost decision in Sentinel operations.
7.5 — Data Retention and Cost Management. Retention policies, commitment tiers, cost estimation, ingestion optimisation, and the operational practices that keep Sentinel costs predictable.
7.6 — Key Tables and Schema for Security Operations. The 20 tables you query most frequently, their schema, their data sources, and the KQL patterns specific to each table.
7.7 — Watchlists: Named Data for KQL Enrichment. Creating watchlists from CSV data, using watchlists in KQL queries and analytics rules, and the operational patterns that make watchlists a powerful investigation tool.
7.8 — Threat Intelligence in Sentinel. Ingesting threat indicators from STIX/TAXII feeds, Microsoft threat intelligence, and manual entry. Managing indicator lifecycle. Using TI in analytics rules and hunting queries.
7.9 — Integrating Defender XDR with Sentinel. The unified security operations platform, the bi-directional data flow, incident synchronisation, and the operational model where Sentinel and Defender XDR work as one.
7.10 — Content Hub and Solutions. Deploying pre-built analytics rules, workbooks, playbooks, and hunting queries from Content Hub. Evaluating solution quality. Managing solution updates.
7.11 — Workspace Health and Operational Monitoring. Monitoring data ingestion volume, detecting connector failures, tracking query performance, and building the operational dashboard that keeps the workspace healthy.
7.12 — RBAC, Multi-Workspace, and Governance. Role assignments for SOC teams, resource-level permissions, multi-workspace architecture for MSSPs and large enterprises, and the governance framework for Sentinel operations.
7.13 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.
7.14 — Check My Knowledge. 20 scenario-based questions covering all subsections.