Investigating and Handling Incidents in Microsoft Sentinel
Learn to handle incidents in Microsoft Sentinel by investigating suspicious activity, analyzing IP insights, and automating responses with custom rules.

Lab overview
Effective incident handling is a crucial skill for SOC analysts in mitigating potential security threats. In this lab, you'll explore Microsoft Sentinel's incident management capabilities by investigating and responding to a real-world scenario, "Sign-ins from IPs that attempt sign-ins to disabled accounts." This step-by-step walkthrough will guide you through initial incident triage and leveraging workbooks to uncover deeper insights into suspicious activity. You'll also create automation rules to reduce investigation noise and close incidents with appropriate classifications.
Objectives
Upon completion of this lab, you will be able to:
- Investigate and triage security incidents in Microsoft Sentinel.
- Enrich incidents with geolocation and additional contextual information.
- Use workbooks to gain deeper insights into suspicious entities and activities.
- Create automation rules to streamline incident handling and reduce repetitive investigations.
- Close incidents with appropriate classifications to maintain accurate records.
Who is this Lab For?
This lab is designed for:
- SOC Analysts seeking hands-on experience in managing incidents in Microsoft Sentinel.
- Security Professionals interested in learning how to use Sentinel's playbooks, workbooks, and automation features effectively.
- IT Professionals and Students looking to understand real-world security workflows and enhance their incident management skills.
Verified against your live environment
An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.
More labs like this
Creating Custom Analytics Rules and Investigating Incidents in Microsoft Sentinel
Learn how to create custom analytics rules in Microsoft Sentinel, map entities to enrich alerts, and investigate incidents generated from suspicious activities.
Deploying Your First Microsoft Sentinel Workspace on Azure
Learn to set up Microsoft Sentinel workspace, connect it to a Log Analytics workspace, and prepare for advanced security monitoring and threat detection.
Implement Network Security Groups (NSGs) and Application Security Groups (ASGs) in Azure
Secure Azure VMs using Network Security Groups and Application Security Groups. Create rules, control traffic flow, and implement least privilege access.
Related reading
Environment
Every lab includes
- Real environment, pre-credentialed
- Automated checks on every step
- Isolated sandbox, auto cleanup
- AI-recommended next steps
Lab curriculum
- 01
Logging into Azure Account using Azure Portal
- 02
Initial Incident Investigation
1 automated check
- 03
Investigation with a Workbook
1 automated check
Not the lab you were looking for?
Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.