This section establishes the Azure environment used across the Azure Security Lab. It provides the foundational infrastructure for logging, monitoring, and security detection using Microsoft Sentinel and Defender for Cloud.
The environment supports:
- centralised logging
- cloud security monitoring
- endpoint telemetry collection
- threat detection
- incident response workflows
- future attack simulation scenarios
This setup serves as the base platform for the Sentinel SOC, Defender for Cloud monitoring, identity security testing, and incident response labs contained in this repository.
This lab focuses on:
- Configuring foundational Azure security resources
- Deploying and configuring Log Analytics Workspace
- Enabling Microsoft Sentinel for SIEM monitoring
- Connecting Azure Virtual Machine telemetry
- Integrating security data connectors
- Configuring Windows logging and auditing
- Validating telemetry ingestion using KQL
- Preparing the environment for future detection engineering and threat hunting labs
Configure core Azure resources required for the security lab environment.
Deploy a Log Analytics Workspace for centralised log ingestion and retention.
Enable Microsoft Sentinel for SIEM-based monitoring and detection.
Configure data connectors to ingest security telemetry from Azure and Windows sources.
Validate that the Azure VM is sending security logs to Log Analytics.
Enable Windows auditing policies for security event generation.
Run KQL queries to confirm log ingestion and visibility.
This environment provides a centralised Azure security monitoring platform capable of supporting:
- detection engineering
- threat hunting
- cloud monitoring
- identity security analysis
- incident response simulations
- SOC investigation workflows