0.5 Lab Environment, Resources, and Support
Your Lab Environment
You need a place to run KQL queries. Three options, from easiest to most complete:
Option 1: Log Analytics Demo Environment (free, instant, no setup)
Navigate to aka.ms/LADemo. This is a Microsoft-hosted demo workspace with sample data across all major security tables. You can run any KQL query from this course immediately. No account required.
Limitations: You cannot configure Sentinel rules, take response actions, or see Defender portal features. Data is sample data, not your real environment.
Best for: Module 2 (KQL practice) and Module 4 (sign-in log queries).
Option 2: M365 Developer Tenant (free, 30-minute setup)
Register at developer.microsoft.com. You get a free E5 tenant with 25 user licenses for 90 days (renewable). This gives you access to every Defender product, Entra ID P2, and the full Defender XDR portal.
Setup instructions are in Module 1.11. Load the sample data packs for realistic users and activity.
Best for: Modules 1, 3, 5-12 (portal navigation and configuration).
Option 3: Azure Free Subscription + Sentinel (free, 1-hour setup)
Connect an Azure free subscription to your developer tenant. Deploy a Sentinel workspace with the M365 Defender data connector. This gives you the complete SIEM environment with real data flowing from your developer tenant.
Best for: Modules 5-6, 10, 23-28 (Sentinel-specific modules).
You do not need the full lab for Modules 1-4. The demo environment handles everything in the free tier. Set up the developer tenant when you reach Module 5 (Sentinel workspace design) or when you want to explore the Defender portal alongside Module 3.
Downloadable Resources
Each module includes downloadable assets where applicable. These will be available as the course develops:
- KQL Query Packs — every query from the module in a single
.kqlfile, ready to paste into Advanced Hunting - Investigation Checklists — step-by-step procedures in PDF format for printing or saving to your SOC wiki
- Reference Cards — single-page summaries of key tables, operators, and error codes
Downloads are linked within each module at the point where they are relevant. No separate downloads page — the asset is next to the content that teaches it.
Reporting Issues
Found an error in a KQL query? A broken link? A concept that is unclear?
For content errors or suggestions: Email training@ridgelinecyber.com with the module number and subsection. Include “Content Issue” in the subject line. We fix verified errors within 48 hours.
For technical issues (site not loading, progress not saving, display problems): Email training@ridgelinecyber.com with your browser, device, and a screenshot if possible. Include “Technical Issue” in the subject line.
For KQL query issues: If a query from the course produces an error in your environment, check three things before reporting: (1) Is your table name spelled correctly and does the table exist in your workspace? (2) Is your time window wide enough to contain data? (3) Are you running the query in the correct environment (Advanced Hunting vs Log Analytics)? If the query still fails, email us with the full error message.
Getting Expert Support
Ready to start
- The course has no video — engagement comes from interactive exercises, KQL queries, and decision trees
- Run every query. Attempt every exercise before revealing the answer.
- Start with the Log Analytics demo environment — no setup required
- Take active notes: one sentence per subsection, three sentences per module
- Use the progress tracker to maintain momentum across sessions
- Report errors to training@ridgelinecyber.com — we fix them within 48 hours
You are ready. Proceed to Module 1: The M365 Security Ecosystem.