0.6 Lab Setup: Sample Data and Validation

45 minutes · Module 0 · Free

Lab Setup: Sample Data and Validation

A lab environment with 6 test users and no activity generates minimal security data. To practice the investigation techniques in this course, you need realistic data. This subsection shows you how to generate it.

The simplest way to populate your SigninLogs and AADNonInteractiveUserSignInLogs tables is to sign in as your test users.

Step 1: Open an InPrivate/Incognito browser window.

Step 2: Navigate to portal.office.com and sign in as j.morrison@yourdomain.onmicrosoft.com.

Step 3: Browse Outlook, open a few emails (or send test emails between users), open a SharePoint site, send a Teams message. Each action generates audit log events.

Step 4: Repeat for 2-3 other test users over the course of a few days. This builds a baseline of normal activity that you can compare against during investigation exercises.

Generate "suspicious" activity for investigation practice

To simulate the anomalous sign-ins you will investigate in later modules, sign in as a test user from a different browser, a VPN connection (if you have one), or your mobile phone. This creates a sign-in from a different IP address and potentially different location — the pattern you will learn to detect in Module 1 and investigate in Module 11. Do NOT do this on a production tenant.

Installing the Microsoft 365 sample data packs

If you used the Instant Sandbox (Option 1), sample data is pre-installed. For Options 2 and 3, you can install sample data packs from the Developer Program dashboard, but this requires Developer Program membership.

Alternatively, generate your own:

Email data: Send 20-30 test emails between your users over several days. Include emails with links (to generate EmailUrlInfo data), emails with attachments (to generate EmailAttachmentInfo data), and external emails from your personal account (to generate external sender patterns).

Process data: If you onboard a device to Defender for Endpoint (covered in Module 4), every application you open, every PowerShell command you run, and every network connection generates DeviceProcessEvents and DeviceNetworkEvents. For lab purposes, a single Windows VM or your own workstation onboarded to the developer tenant provides rich data.

Content Hub solutions

Sentinel Content Hub provides pre-built detection rules, workbooks, and playbooks that populate your workspace with useful configurations.

Step 1: In Sentinel, navigate to Content management → Content Hub.

Step 2: Install these solutions (click each → Install):

Microsoft 365 — provides analytics rules for M365 threats
Microsoft Entra ID — provides sign-in analytics and workbooks
Microsoft Defender XDR — provides incident correlation rules
UEBA Essentials — provides behavioral analytics

These do not generate data, but they give you pre-built analytics rules and workbooks that you will explore and modify in Modules 7 and 9.

Final validation

Run these queries to confirm your lab environment is ready:

Check available tables:

1
2
3
4
5
search *
| where TimeGenerated > ago(7d)
| summarize EventCount = count(), LastEvent = max(TimeGenerated) by Type
| where EventCount > 0
| sort by EventCount desc

You should see at minimum: SigninLogs (or AADSignInEventsBeta), AuditLogs, and some Defender tables if the connector has been active for a few days.

Check sign-in data:

1
2
3
4
SigninLogs
| where TimeGenerated > ago(7d)
| take 5
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType

If this returns results, your Entra ID connector is working and you have sign-in data to investigate.

Check email data (if you generated test emails):

1
2
3
4
EmailEvents
| where TimeGenerated > ago(7d)
| take 5
| project TimeGenerated, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction

Your lab data will be sparse — and that is fine

A 6-user lab will never look like a 500-user production environment. Some course exercises show Expected Output blocks with hundreds of results — your lab may return 5 or 10. The learning is in the query construction and the analysis methodology, not in the volume of data. The course tells you what to look for in each Expected Output block regardless of your result count.

Environment summary

At this point, your lab environment includes:

Component	Status
M365 E5 tenant	Active with 6+ test users
Microsoft Defender XDR portal	Accessible at security.microsoft.com
Microsoft Entra admin center	Accessible at entra.microsoft.com
Azure subscription	Active with free credit
Log Analytics workspace	Created and configured
Microsoft Sentinel	Enabled on workspace
Defender XDR data connector	Connected with event tables
Entra ID data connector	Connected for sign-in and audit logs
Content Hub solutions	Installed (M365, Entra, Defender XDR, UEBA)
Test users	6+ users with E5 licenses and some activity

You are ready for Module 1. Every hands-on exercise in the course builds on this environment.

← 0.5 Lab Setup: Azure Subscription and Sentinel Workspace 0.7 Module Summary →