0.5 Lab Setup: Azure Subscription and Sentinel Workspace

Figure — Lab Setup: Azure Subscription and Sentinel Workspace. Applied to security operations at Northgate Engineering.

Lab Setup: Azure Subscription and Sentinel Workspace

Microsoft Sentinel runs on Azure. You need an Azure subscription linked to your M365 tenant, a Log Analytics workspace, and Sentinel enabled on that workspace. This subsection walks through all three.

Getting an Azure subscription

If you used the M365 Developer Program (Option 1): The developer program does not include Azure. You need a separate Azure subscription. Use the Azure Free Account (below).

If you used M365 E5 Trial or Paid License (Options 2-3): Same — Azure is separate from M365.

Azure Free Account: Navigate to azure.microsoft.com/en-us/free. Sign in with the SAME Microsoft account you used for your M365 tenant. The Azure free account includes $200 credit for 30 days and 12 months of select free services. Sentinel itself is not free — it charges per GB of data ingested — but the free credit covers lab usage easily.

Azure for Students: If you have a .edu email address, azure.microsoft.com/en-us/free/students provides $100 credit without a credit card. Sufficient for lab exercises.

Creating a Log Analytics workspace

Sentinel needs a Log Analytics workspace to store its data. Think of the workspace as the database where all your security logs live.

Step 1: Navigate to portal.azure.com. Sign in with your tenant admin account.

Step 2: In the search bar at the top, type "Log Analytics workspaces" and select it.

Step 3: Click "+ Create."

Step 4: Fill in the details:

• Subscription: Select your Azure subscription
• Resource group: Click "Create new" → name it rg-sentinel-lab → OK
• Name: law-sentinel-lab (or any name — this is your workspace identifier)
• Region: Select the region closest to you. For UK users, "UK South." For US users, "East US." This affects data residency and query latency.

Step 5: Click "Review + Create" → "Create." The workspace deploys in about 60 seconds.

Enabling Microsoft Sentinel

Step 1: In the Azure portal search bar, type "Microsoft Sentinel" and select it.

Step 2: Click "+ Create."

Step 3: Select the Log Analytics workspace you just created (law-sentinel-lab).

Step 4: Click "Add." Sentinel is now enabled on your workspace.

The Sentinel overview page appears. It will be mostly empty — no incidents, no data connectors, no analytics rules. That is expected. You will populate it starting in Module 7.

Connecting your M365 data to Sentinel

For the course exercises to work, Sentinel needs data from your M365 tenant. We will connect the Microsoft Defender XDR connector now and add other connectors in Module 8.

Step 1: In Sentinel, navigate to Configuration → Data connectors.

Step 2: Search for "Microsoft Defender XDR" and select it.

Step 3: Click "Open connector page."

Step 4: Under "Connect incidents and alerts," check the box and click "Connect." This sends Defender XDR incidents and alerts to your Sentinel workspace.

Step 5: Under "Connect events," select the tables you want to ingest. For the course, enable:

• DeviceProcessEvents
• DeviceNetworkEvents
• DeviceFileEvents
• DeviceLogonEvents
• DeviceInfo
• DeviceEvents
• EmailEvents
• EmailAttachmentInfo
• EmailUrlInfo
• EmailPostDeliveryEvents
• IdentityLogonEvents
• IdentityQueryEvents
• CloudAppEvents

Click "Apply Changes."

Step 6: Also connect the Entra ID connector. Navigate to Data connectors → search "Microsoft Entra ID" → Open connector page → Under "Diagnostic settings," click "Launch Azure Policy" or configure manually to send Sign-in logs and Audit logs to your workspace.

Verification

After connecting, data takes 5-30 minutes to start flowing. Verify by navigating to Sentinel → Logs and running:

search *
| where TimeGenerated > ago(1h)
| summarize count() by Type
| sort by count_ desc

You should see at least a few table names with event counts. If the query returns no results after 30 minutes, recheck your data connector configuration — the most common issue is the Defender XDR connector not having the event tables selected.

Lab cost summary

Verification checklist

Before moving to subsection 0.6, confirm:

• [ ] You can access portal.azure.com with your tenant admin account
• [ ] A Log Analytics workspace exists (law-sentinel-lab or your name)
• [ ] Microsoft Sentinel is enabled on the workspace
• [ ] The Microsoft Defender XDR data connector is connected with event tables selected
• [ ] The Entra ID connector is configured for sign-in and audit logs
• [ ] The search query above returns results (after 30 minutes of connection time)

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

Cost management from day one

The Azure free tier provides 5 GB/day of Log Analytics ingestion and 31 days of Sentinel free trial. After the trial, Sentinel charges per GB ingested. For a lab environment with sample data, ingestion typically stays under 1 GB/day — well within the free tier. However, enabling all available data connectors simultaneously can push ingestion above 5 GB/day, triggering charges. The safe approach: enable connectors one at a time, check the Usage blade in the Log Analytics workspace after 24 hours to verify ingestion volume, then enable the next connector. Priority order for security training: (1) Entra ID connector (SigninLogs, AuditLogs — essential for every investigation), (2) Microsoft 365 connector (OfficeActivity — email and SharePoint investigation), (3) Defender XDR connector (Device* tables — endpoint investigation). These three connectors provide the tables used in 90% of course exercises while keeping ingestion under 2 GB/day.

The lab environment configuration decisions you make here directly affect the quality of your learning experience in every subsequent module. Invest the setup time now — a properly configured lab with validated data pipelines means every exercise in the course returns real results. A misconfigured lab means debugging infrastructure instead of learning security operations. Verify each connector before moving to the next module.

Workspace architecture decisions

When creating the Log Analytics workspace, two decisions affect your entire learning experience. First, the workspace region — choose the region closest to your location for lowest query latency. Second, the pricing tier — the free tier (5 GB/day) is sufficient for lab use. Do not select the capacity reservation tiers (100-5000 GB/day) for a training environment. The commitment tier provides per-GB discounts at scale but bills a minimum daily amount regardless of actual ingestion.

After creating the workspace and onboarding Sentinel, enable the free data connectors immediately: Microsoft Entra ID (provides SigninLogs and AuditLogs), Microsoft 365 (provides OfficeActivity), and Microsoft Defender XDR (provides the Device* tables and IdentityLogonEvents). Each connector takes 5-15 minutes to begin ingesting data. Verify ingestion by querying each table after 30 minutes. The workspace is ready for Module 1 when all three connectors show data in the Logs blade.