Contact Details

No response

What happened?

Exercise: 3
Task: 2
Step: 1

Description of issue: Connector has changed the name to "Common Event Format (CEF) via Legacy Agent"

Lab

Lab 06 Exercise 03 Connect Linux hosts to Microsoft Sentinel using data connectors

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 05
Step: 06

Description of issue:
The button that is supposed to read Apply Changes actually reads no permissions

Repro steps: Same as lab

After searching for workarounds and trying several browsers, found that requests to https://api.security.microsoft.com/api/dataexportsettings returns CORS error in Chrome and Edge
and sometimes HTTP 500 Error occured in Firefox

Using godeploy.

Lab

Lab 06 Exercise 01 Connect data to Microsoft Sentinel using data connectors

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

In the listed knowledge check question, the answers were kind of confusing. I feel Azure Active Directory Identity Protection should also be included as a correct answer.

https://learn.microsoft.com/en-us/training/modules/connect-microsoft-defender-365-to-azure-sentinel/7-knowledge-check

Lab

Other

Relevant screenshots

Contact Details

[email protected]

What happened?

Exercise : 3
Task: 4
Step: 3

Replace

Select Legacy agents management under the Settings area.

With

Select Legacy agents management under the Classic area.

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Description of issue: The Releases page is empty. See screenshot.

Under tags you can see older releases from 2019.

This is from readme.md

Repro steps:

1. Click link in readme.md

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 02
Task: 02
Step: 09

Description of issue: Playbook is gone already
But we can access directly this link.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Teams/Playbooks/Post-Message-Teams

Lab

Lab 07 Exercise 02 Create a Playbook

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 1
Task: 5
Step: 1

The Microsoft 365 Defender connecter is out of preview and into general availability.

Replace

From the Data Connectors Tab, search for the Microsoft 365 Defender (Preview) connector and select it from the list.

With

From the Data Connectors Tab, search for the Microsoft 365 Defender connector and select it from the list.

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 00
Step: 08

Description of issue:
The name should be "Create incidents based on Microsoft Defender for Cloud" instead of "Create incidents based on Azure Defender alerts"

Repro steps:
1.
1.
1.

Lab

Lab 07 Exercise 01 Activate a Microsoft Security rule

Relevant screenshots

paste here �

�

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What should we change?

PROPOSAL

Use two digit numbers in the titles. That way LAB_AK_07_Lab1_Ex10_Workbooks.md sorts after LAB_AK_07_Lab1_Ex09_Workbooks.md instead of before LAB_AK_07_Lab1_Ex9_Workbooks.md.

Lab

Other

Relevant screenshots

paste here 😉

Contact Details

[email protected]

What happened?

Module : 07
Lab : 01
Exercise : 05 Conduct attacks
Task: 01 Attack Windows configured with Defender for Endpoint.
Step: 05

Description of issue:
Unable to conduct attacks, getting an error while running the c2.ps1 script

Lab

Lab 07 Exercise 05 Conduct attacks

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 02
Step: 14

Description of issue: The time for showing a device under Device Inventory is longer than expected 1 hour. For my case, it takes around 3 hours to show.

Lab

Lab 02 Exercise 01 Deploy Microsoft Defender for Endpoint

Relevant screenshots

paste here �

�

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

Module: Threat detection with Microsoft Sentinel analytics
Exercise - Detect threats with Microsoft Sentinel analytics
Unit 8 / 9

Step 4 Suggests searching for "Create incidents based on security alerts". However the names have changed and searching exactly for this text, won't display anything.

Please update to just, "Create Incidents" as this works.

This is because of the recent Microsoft Defender name changes. Thanks!

Lab

Other

Relevant screenshots

Contact Details

No response

What happened?

Exercise: 01
Task: 04
Step: 07

Description of issue: VM not showing in Device Group

Lab

Lab 02 Exercise 01 Deploy Microsoft Defender for Endpoint

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

The following two queries at the end of Task 6: Work with string data in KQL appear to be failing with no results.

Query 1:

SigninLogs | extend Location = todynamic(LocationDetails)
| extend City = Location.city
| extend City2 = Location["city"]
| project Location, City, City2

Query 2:

SigninLogs
| mv-apply Location = todynamic(LocationDetails) on
( where Location.countryOrRegion == "ES")

The commonality seems to be that they both work with location data. Removing the "project" line from the first query does return results, but you can see the Location, City, and City2 columns are all completely blank.

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 1
Task: 3

The Search feature has become generally available, and the UI has changed since the lab was written.

Also, there's a typo. :-) In Step 5, replace "and the select Apply." with "and then select Apply."

Replace steps 6 onwards with something like the following.

• In the search box, enter reg.exe and then select Start. A Logs pane will open.

• Select the ellipsis (…) at the top-right corner and enable the Search job mode slider.

• Select the Search job button.

• In the New table name text box, enter "DeviceRegistryEvents" and then select Run a search job.

• Wait until the Results window shows Search job is done (a couple of minutes) and then select the Done button.

• The search table DeviceRegistryEvents_SRCH will appear in the bottom of the Search tab. Wait until this shows Search completed (a couple of minutes more) then select View search results > preview.

• Review the information then select View results in Log Analytics.

• Review the results then close the Logs pane by clicking the X in the top right-hand corner. When asked *Your unsaved edits will be discarded" select OK.

• Close the Search results (Preview) pane by clicking the X in the top right-hand corner.

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

There are a few querying practices that bug me when reading these labs. I don't think they are really worh raising a bug ticket here but I did want to mention them.

Data types

We should always be mindful of the data type of a column.

Replace:

    EventID == "4624"

With:

    EventID == 4624

Quotes

I know that KQL doesn't care about which quote you use but it would be nice to have some consistency in the lab.

For example, Lab 4 uses single and double quotes at different points.

    EventID == "4624"
    EventID == '4624'

Combining where clauses

It would be great to explain why the lab uses

    | where TimeGenerated > ago(1h)
    | where ProcessName != "" and Process != ""

Instead of

    | where TimeGenerated > ago(1h) and ProcessName != "" and Process != ""

Or

    | where TimeGenerated > ago(1h)
    | where ProcessName != "" 
    | where Process != ""

Semicolons

Is it best practice to end all KQL queries with semicolons?

Lab

Other

Relevant screenshots

paste here 😉

Contact Details

[email protected]

What happened?

Exercise : Module 4 - Lab 1 - Exercise 1
Task:03
Step: 07

Description of issue: "Completed" bar is already gone. New name is "Query Details".

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

Following screenshot is the latest page. "Query Details" is bottom of the page.

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 02
Task: 02
Step: 10

Description of issue:

Post-Message-Teams folder is not available under Playbooks folder.

Lab

Lab 07 Exercise 02 Create a Playbook

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise: 01
Task: 02
Step: 10, 15

Description of issue: GUI for applying policies changed again, now it shows "Manage protection settings" to activate them.

Lab

Lab 01 Exercise 01 Explore Microsoft 365 Defender

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise: 1
Task: 2

Description of issue:

• Step 10: Instead of "select Manage" it should be "Apply standard policy"
• Between Steps 12 and 13: There is a new page "Turn on the policy after I finish"
• Step 14: Instead of "select Manage" it should be "Apply strict policy"
• Between Steps 16 and 17: There is a new page "Turn on the policy after I finish"

Lab

Lab 01 Exercise 01 Explore Microsoft 365 Defender

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise: 01
Task: 03
Step: 04,05,o6

Description of issue:

While running the command of step 4,5,6 in task 3. facing an error with No results found from the specified time range.

Repro steps:

1. The following statement is a rule to detect MFA failures across multiple applications for the same account. In the Query Window enter the following statement and select Run:

let timeframe = 30d;
let threshold = 1;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultDescription has "MFA"
| summarize applicationCount = dcount(AppDisplayName) by UserPrincipalName, IPAddress
| where applicationCount >= threshold

1. The following statement demonstrates the arg_max() function, which returns one or more expressions when the argument is maximized. The following statement will return the most current row from the SecurityEvent table for the computer SQL12.NA.contosohotels.com. The * in the arg_max function requests all columns for the row. In the Query Window enter the following statement and select Run:

SecurityEvent
| where Computer == "SQL12.na.contosohotels.com"
| summarize arg_max(TimeGenerated,*) by Computer

1. The following statement demonstrates the arg_min() function, which returns one or more expressions when the argument is minimized. In this statement, the oldest SecurityEvent for the computer SQL12.NA.contosohotels.com will be returned as the result set. In the Query Window enter the following statement and select Run:

SecurityEvent
| where Computer == "SQL12.na.contosohotels.com"
| summarize arg_min(TimeGenerated,*) by Computer

Please revert back ASAP.
@seesharprun @GraemeMalcolm @bneeb @billwood44

Thank you!

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Module: 01

Lab/Demo: 01 (exercise 2)

Task: 01

Step: 03

Description of issue

The file 'RS4_WinATP-Intro-Invoice.docm' is password protected.

Through checking on other MSFT sites, (reference - https://winatpmanagement.securitycenter.windows.com/client/management/static/AttackSimulationDIYv2.pdf ) the pwd appears to be:

WDATP!diy#

Although pwd is included in the 'learn more' portion of the simulation, Instructions here should be updated to include the pwd, as many students will immediately try and open the doc, not know the pwd, and call support.

Contact Details

[email protected]

What happened?

Exercise : 01
Task: 02
Step: 03

Description of issue: Missing Prerequisite to connect Microsoft Defender for Cloud alerts to Microsoft Sentinel

Official Microsoft documentation for "Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel" (https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud) enlists Prerequisites:

• You must have read and write permissions on your Microsoft Sentinel workspace.
  - You must have the Contributor or Owner role on the subscription you want to connect to Microsoft Sentinel.
• You will need to enable at least one plan within Microsoft Defender for Cloud for each subscription where you want to enable the connector. To enable Microsoft Defender plans on a subscription, you must have the Security Admin role for that subscription.
• You will need the SecurityInsights resource provider to be registered for each subscription where you want to enable the connector. Review the guidance on the resource provider registration status and the ways to register it.
• To enable bi-directional sync, you must have the Contributor or Security Admin role on the relevant subscription.

User admin@<primary_domain> originally is set only "Service Administrator" (Classic administrator) role.

Repro steps:

1. Learning Path 6 - Lab 1 - Exercise 1, Task 2, Step 3: FAILS!
2. In Azure search box, type "Subscriptions"
3. Click the "Subscriptions" service
4. Click the "Azure Paas - Sponsorship" subscription name
5. Click "Access control (IAM)"
6. Click "Add role assignment"
7. Click "Privileged administrator roles"
8. Click the role "Owner" or "Contributor"
9. Click the "Members" tab
10. Click "+ Select members"
11. Type "admin" in the "Select" text box and select the admin user in use in the whole lab
12. Ensure "admin" user is listed in "Selected members" area
13. Click "Select" button
14. Click "Review + assign" button twice
15. Go back to Microsoft Sentinel/Data Connectors
16. Learning Path 6 - Lab 1 - Exercise 1, Task 2, Step 3: NOW WORKS!

Lab

Lab 06 Exercise 01 Connect data to Microsoft Sentinel using data connectors

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise: 02
Task: 03
Step: 06

Description of issue:
The name of the first block no longer is "When a response to an Microsoft Sentinel alert is triggered" but just "Microsoft Sentinel Alert"

Lab

Lab 07 Exercise 02 Create a Playbook

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

Missing Azure AD Premium P1or P2 license and required permissions for Sentinel lab for data connector enablement for Azure AD and other services. Sign in button is grayed out.

Lab

Lab 06 Exercise 01 Connect data to Microsoft Sentinel using data connectors

Relevant screenshots

Contact Details

No response

What happened?

Exercise: 02
Task: 01
Step: 16

Description of issue:
Instead of "Clone notebook template" the button now states, "Create from template".

Lab

Lab 08 Exercise 02 Threat Hunting using Notebooks with Microsoft Sentinel

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Request by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

Task 2: Apply Microsoft Defender for Office 365 preset security policies - "Under Standard protection, select Edit." It should be Manage as per the new UI.

Task 2: Apply Microsoft Defender for Office 365 preset security policies - "Under Strict protection, select Edit.." It should be Manage as per the new UI.

Need to replace - "In the menu, select Global Settings". - In the menu, Click on Gear icon called Global Settings.

Lab

Lab 01 Exercise 01 Explore Microsoft 365 Defender

Relevant screenshots

paste here 😉

Contact Details

No response

What happened?

Exercise: 03
Task: 02
Steps: 06 and 07

Description of issue:
To add the role there is no longer need to select Next (step 6) and assign (step 7). Just "Add". Instead of selecting "assign" in step 7, we might need to click "Refresh" until the role appears.

Lab

Lab 07 Exercise 03 Create a Scheduled Query

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 3
Step: 06

Description of issue:
No options to select Auto provisioning from the Settings Defender plans
Repro steps:
1.Select Settings & monitoring from the settings under Defender plans.

Lab

Lab 03 Exercise 01 Enable Microsoft Defender for Cloud

Relevant screenshots

Step 6. Select Auto provisioning from the Settings area.
Observtion - No options to select Auto provisioning

Step7. Review the Auto provisioning - Extensions. Confirm that Log Analytics agent/Azure Monitor agent is Off.

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What should we change?

Since class inception, the aka.ms/lademo site has a SecurityAlert table, but it always has been and still is empty.
So why do we continue to query it?

So that leaves
Task 2 steps 8, 9, 11
Task 6 steps 6, 7,
as producing no output. This can be verified by running
``KQL
union Security*
| summarize count() by Type
And take a look at the output. there is no row returned with a table name of SecurityAlert.

Please update the md file to include the phrase The following will not produce results like we had in an older version of the md file.

Or modify those steps to include working examples.

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

paste here 😉

Contact Details

No response

What happened?

Exercise: 1
Task: 0
Step: 0

Description of issue: The text file located in https://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst/tree/master/Allfiles need to be updated with the current lab exercises.

Repro steps:

1. Go to https://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst/tree/master/Allfiles
2. Compare the SC200_module4_KQL_scripts.txt with current instructions

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

No response

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Module 02
Lab: 01
Exercise : 01
Task: 02
Step: 14

Description of issue:

We have been fielding reports from whole classes of very long times before 'device discovery' is successful, on the order of 2-3 hours, rather then the 'up to 5 minutes' listed in the 'Note' after step 14. Several in-house tests have also confirmed this behavior.

While it is likely there is not a lot anyone can do directly to speed this up - it seems to be a function of the Microsoft 365 Defender backend and only they can speed things up there - however it may be worth re-evaluating the benchmark times given
in the existing 'Note' immediately after step 14 as a warning to students.

In particular, in a test run today - it took roughly 10 minutes before the Tenant was successful in its initial 'please wait while we setup' portion, and took 30 minutes before the 'Device discovery' option even appeared in Settings.

It took just a touch more then 30 minutes for the win1 device to appear in Endpoints/Device inventory.

Signing out, closing browser, refreshing, rebooting WIN1, moving on to the next task, etc., repeatedly had absolutely no perceived positive effect in mitigating this delay: As far as I could see, one just has to be patient and wait.

Repro steps:
Take the course with Tenant, as-written up to step referenced. Experienced delays.

Lab

Lab 02 Exercise 01 Deploy Microsoft Defender for Endpoint

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 01
Task: 04
Step: 23

Description of issue:
Getting an error while running the powershell script eventhough I cross-checked the script name available in downloads.

Repro steps:
1.
1.
1.

Lab

Lab 03 Exercise 01 Enable Microsoft Defender for Cloud

Relevant screenshots

No response

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise: 01
Tasks: 2, 3 and 6
Steps: Multiple

Description of issue:

• Some KQL queries need adjusting (format and number of results)

Lab

Lab 04 Exercise 01 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Relevant screenshots

No response

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 02
Step: 3

Description of issue: When clicking "Apply Changes" to connect the AAD Connector, an error message pops up that says "Failed to apply changes. error".

I've tried redeeming the P2 trial like the note below "Sign-In Logs" suggests, but that doesn't change anything.

Lab

Lab 06 Exercise 01 Connect data to Microsoft Sentinel using data connectors

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Module: 07

Lab: 01 (Exercise 6)

Task: 01

Step: 09

Description of issue

KQL queries directed at attack data that should have been sourced from the WIN1 VM (and ought to appear in 'device*' tables) not appearing.

Repro steps:

• Follow all instructions up to Module 7 - Lab 1 - Exercise 6 - Create Detections/Task 1: Attack 1 Detection with Sysmon/Step 9 KQL query
• Step 10 states: "...The results show for three different tables: DeviceProcessEvents DeviceRegistryEvents Event, The Device* tables are from Defender for Endpoint (Data Connector - Microsoft 365 Defender). Event is from our Data Connector Security Events..."

While I have never had any problems seeing the results from the 'Event' tables (from the attack run on Win2 VM) in two successive complete run-throughs of the course from beginning to this point I have not been able to see any 'Device' tables populated from the attack(s) run on the onboarded WIN1 VM. All I can see in the query is:

• This is also an issue slightly later in 'Task 2: Attack 1 Detection with Defender for Endpoint'/Step 3 -5. That is, I see the same 'Event' table results from WIN2 in step 3, and a slightly different error to the query in step 5:

This error would seem to imply that there are, in fact, no 'Device*' tables present for the query to search through, however I can find no explanation for why the tables are not present - If I check in the Microsoft 365 Defender site, I can see WIN1 present, and onboarded successfully from the 'Device Inventory' tab.

The attacks were run per the instructions against both WIN1 & WIN2 VMs. (and, repeatedly re-run at various times after, to insure they weren't missed)

The original onboarding process for WIN1 appeared to proceed successfully, with no errors that I could identify. In an earlier instance I tried offboarding WIN1, pausing for a period of time to allow it to successfully offboard/disappear, and then onboarding it again, with no effect on the issue.

In both my previous and current instances I have given Azure very long periods of time to populate the data (in case data/logs are just taking some time to flow from WIN1 after the attack, to Defender, to Azure Sentinel/Log Analytics). Typically I've given several hours waiting, with the VMs running, as well as with pausing the lab VMs overnight, and then returning to re-run the attacks on WIN1 & re-querying for results, to no avail.

The Data Connector config & connecting sections similarly proceeded with no errors. If I look specifically at (what I believe is) the key connector - Defender for Endpoint (Data Connector - Microsoft 365 Defender) I can see in almost all places it says 'No data to display':

The screenshot above seems to show a single entry that has what appears to be a single bit of data from Aug 30, but whatever this reflects does not seem to contain any of the data the instructions KQL queries are looking for.

Has anyone experienced this and have an idea what might be amiss?

Or, alternatively, had no problems at all getting the various 'Device*' KQL queries to function and have an idea what I might be doing wrong? (or if it may simply trace back to a longer-then-usual time lag between original attack data being created from WIN1 attack activities, and when that data actually appears in a queryable format within Sentinel/Log Analytics?

Hi Team,

Any plan for SC-200 and other SC-XXX Lab Demonstration Video?
because in the Slide more cover is related to M365 video, but not include the video related to Azure.
As a Trainer, we also frustrated .

Thank you.

Module: 06

Lab/Demo: 3

Task: 2 and 3

Step: 00

Proposal for alternative to the email and copy/paste (which did not work for me) method to get Connector URL data between Windows and Linux

1. Copy the Connector Page URL (and only the URL) into a URL shortener (Bit.ly for example)
2. Switch to the Linux host and login as per the normal steps
3. curl https://bit.ly/randomstring > connector.sh
4. vim connector.sh and delete anything beyond the URL. Ensure to prefix the URL with wget/wget -O as required
5. chmod +x connector.sh
6. ./connector.sh

Contact Details

[email protected]

What happened?

Exercise : 01
Task: 02
Step: 15

Description of issue:

While running the command of step 15 in task 2. facing an error with No results found from the specified time range.

_GetWatchlist('HighValueHosts')

Repro steps:
15. Select the HighValueHosts watchlist and on the right pane, select View in logs.

Important: It could take up to ten minutes for the watchlist to appear. Please continue to with the following task and run this command on the next lab.

Note: You can now use the _GetWatchlist('HighValueHosts') in your own KQL statements to access the list. The column to reference would be Hostname.

Please revert back ASAP.
@GraemeMalcolm @bneeb @billwood44 @mattmin5 @

Thank you!

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 01
Task: 03
Step: 05

Description of issue: There is a different page showing the enablement of Defender for Cloud

Lab

Lab 03 Exercise 01 Enable Microsoft Defender for Cloud

Relevant screenshots

No response

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 02
Task: 01
Step: 12

Description of issue: B2ms size not available in some regions.

Lab

Lab 06 Exercise 02 Connect Windows devices to Microsoft Sentinel using data connectors

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Module 8 - lab 1 : 00
Task: 2
Step: 5

"lookback" is not defined
Should like in Task 1, step 16, line 1, have a definition like "let lookback = 2d"

Lab

Lab 08 Exercise 01 Perform Threat Hunting in Microsoft Sentinel

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 02
Task: 01
Step: 04

Description of issue:
The instruction read "click the Read the walkthrough." but nowadays the M365D portal reads "Learn more"

Lab

Lab 02 Exercise 02 Mitigate Attacks with Microsoft Defender for Endpoint

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Module: 04

Lab/Demo: 01

(exercise 1)

Task: 01

Step: 02

Description of issue

Accessing the short/vanity URL of https://aka.ms/lademo (which used to work just fine) now seems to cause an odd failure in that although one seems to go to the site used for sample queries, they will not work.

Repro steps:

• Browse to https://aka.ms/lademo

• After authentication, you will be redirected to https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade/aiDemo/true

• If one types various queries it acts as if there is no data to query:
  

• Instead, if one browses directly to https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade (without the 'aidemo/true' portion) one doesn't see the issue, and queries work fine:

Contact Details

[email protected]

What happened?

Exercise : 04
Task: 01
Step: 14

Description of issue: Unable to add Threat intelligence - TAXII connector even after mentioning all the specified details given in the lab guide.
Can you please have a look at this to resolve the issue quickly.

Lab

Lab 06 Exercise 04 Connect Threat intelligence to Microsoft Sentinel using data connectors

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 04
Task: 01
Step: 10 & supplementary note

Description of issue:
Taxii connector fails to connect with already exists or inputs not valid error

When trying both URL's in browser,

https://limo.anomali.com/api/v1/taxii2/feeds/
https://limo.anomali.com/api/v1/taxii2/feeds/collections/

Both return 404 error page

Lab

Lab 06 Exercise 04 Connect Threat intelligence to Microsoft Sentinel using data connectors

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise : 02
Task: 01
Step: 04

Description of issue:
Could not open the file as it is asking for password. How to view the contents of the file we downloaded in step 4??
Repro steps:
1.
1.
1.

Lab

Lab 02 Exercise 02 Mitigate Attacks with Microsoft Defender for Endpoint

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

[email protected]

What happened?

Exercise: 2
Task: 3
Steps: 23-26

The Arc onboarding script now uses a user login instead of a device login, so the steps are outdated.

Steps 23 to 26 can be replaced with:
The setup process will open a new Edge browser tab to authenticate the Azure Arc agent. Select your admin account, wait for the message "Authentication complete" and then go back to the Windows PowerShell window.

(This text taken from Module 3 - Lab 1 - Exercise 1 - task 4 - step 21, which has already been updated.)

Lab

Lab 06 Exercise 02 Connect Windows devices to Microsoft Sentinel using data connectors

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise: 01
Task: 01
Step: 08

Description of issue:
The rule is no longer named "Create incidents based on Azure Defender alerts" but "Create incidents based on Microsoft Defender for Cloud".

Lab

Lab 07 Exercise 01 Activate a Microsoft Security rule

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide

Contact Details

No response

What happened?

Exercise : 02
Task: 05
Step: 10

Description of issue: The time for showing a device under Device Inventory is longer than expected 1 hour. For my case, it takes around 3 hours to show.

Lab

Lab 06 Exercise 01 Connect data to Microsoft Sentinel using data connectors

Relevant screenshots

Do you want to help us? 👏

• Create a Pull Requestt by following this project's Contribution Guide