DE0.12 Your Detection Engineering Lab

2-3 hours · Module 0 · Free

Operational Objective

The Lab Environment: Every detection rule in this course is designed to be tested before deployment. Testing requires a Sentinel workspace with representative data. This subsection provides three paths to a working detection engineering lab: the M365 Developer Tenant (free), your production environment (if authorized), or the Northgate Engineering baselines (if neither is available). You will configure the workspace, verify data source connectivity, and run the first detection engineering query to confirm your lab is operational.

Deliverable: A working Sentinel workspace with data sources connected and a verified query confirming operational readiness.

⏱ Estimated completion: 30-45 minutes (if setting up new tenant) or 10 minutes (if using existing environment)

Three lab paths

Path 1: M365 Developer Tenant (recommended for learning). Microsoft provides a free E5 developer tenant with 25 user licenses and an Azure subscription. This gives you Sentinel, all Defender XDR products, Entra ID P2, and Advanced Hunting — the complete detection surface. The developer tenant includes sample data packs that populate realistic user activity, sign-in logs, and email events. You deploy Sentinel, connect the data connectors, and build rules against the sample data.

Path 2: Your production environment (recommended for immediate value). If you have authorization to create analytics rules in your organization’s Sentinel workspace, use it. Every rule you build in this course can be deployed directly. The rules will need environment-specific tuning (your IP ranges, your user groups, your service accounts), but the detection logic transfers immediately. This path produces the most value but requires authorization from your security team.

Path 3: Northgate Engineering baselines (if no Sentinel access). If you do not have access to a Sentinel workspace, the course provides the NE baseline data — sample query outputs, expected alert patterns, and the metric baselines — so you can follow the methodology without running queries. You will not be able to test rules against live data, but you will learn the rule specification, the KQL patterns, and the detection engineering lifecycle. When you gain access to a workspace later, you can deploy the rules you designed during the course.

Figure DE0.12 — Three lab paths. Path 1 (developer tenant) is recommended for most learners. Path 2 (production) delivers immediate organizational value. Path 3 (baselines) allows the course to be completed without Sentinel access.

Path 1 setup: M365 Developer Tenant

Step 1: Create the developer tenant. Navigate to developer.microsoft.com/en-us/microsoft-365/dev-program. Sign in with a personal Microsoft account (not your work account). Join the developer program and create an E5 sandbox. This provisions a full M365 E5 tenant with 25 user licenses, valid for 90 days (renewable if active).

Step 2: Load sample data. In the developer portal, add the “Users, Mail, and Events” sample data pack. This populates 16 fictional users with realistic email, calendar, and OneDrive activity. These users generate SigninLogs, OfficeActivity, and AuditLogs — the identity and collaboration data your rules will query.

Step 3: Create an Azure subscription. From the Azure portal (portal.azure.com), sign in with your developer tenant admin account. Create a free Azure subscription linked to the tenant. This provides the Azure environment for Sentinel.

Step 4: Deploy Sentinel. In the Azure portal: create a resource group (e.g., “rg-sentinel-lab”), create a Log Analytics workspace in that resource group, then add Microsoft Sentinel to the workspace. The free tier includes 5 GB/day of ingestion — sufficient for a developer tenant.

Step 5: Connect data sources. In Sentinel → Data connectors, connect: Microsoft Entra ID (SigninLogs, AuditLogs), Microsoft 365 (OfficeActivity), Microsoft Defender XDR (all alert and event tables). Each connector takes 2-3 clicks. Data begins flowing within minutes.

Step 6: Enable Defender for Endpoint. In the Microsoft Defender portal (security.microsoft.com), onboard the developer tenant. Enable Defender for Endpoint on at least one test device (your lab VM or a test Windows machine). This populates the Device* tables.

Step 7: Verify data flow. Wait 30 minutes, then run the verification query below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Lab verification query — confirm data sources are active
union withsource=TableName
    SigninLogs,
    AuditLogs,
    OfficeActivity,
    SecurityAlert
| where TimeGenerated > ago(24h)
| summarize
    EventCount = count(),
    LatestEvent = max(TimeGenerated)
    by TableName
| sort by EventCount desc
// Expected: 4 tables with EventCount > 0
// If a table shows 0 events, check the data connector status

If the query returns events from all four tables, your lab is operational. The Device* tables may take longer to populate (up to 24 hours after Defender for Endpoint onboarding).

⚠ Compliance Myth: "I cannot build detection rules in production — testing might break something"

The myth: Creating analytics rules in a production Sentinel workspace risks disrupting SOC operations or generating false alerts that confuse the triage team.

The reality: Analytics rules are READ-ONLY queries against the Sentinel workspace. They do not modify data, do not change configurations, and do not affect other rules. A new analytics rule that is poorly written might generate false positive alerts, but it cannot corrupt data or disable existing detections. The risk is operational noise, not system damage. The mitigation: create new rules in a DISABLED state, test the query in Advanced Hunting to verify output, estimate the FP rate from historical data, then enable the rule when you are confident in its accuracy. DE9 teaches this exact workflow.

Path 2 setup: Production environment

If you have Sentinel Contributor RBAC role (or Microsoft Sentinel Contributor built-in role) on your organization’s workspace, you can build and deploy rules directly. Before creating your first rule:

Verify your permissions. Navigate to Sentinel → Settings → Workspace settings → Access control (IAM). Confirm your account has “Microsoft Sentinel Contributor” or equivalent. If you only have “Microsoft Sentinel Reader,” you can run queries in Advanced Hunting but cannot create analytics rules — request the Contributor role from your workspace owner.

Create a naming convention. All rules you create during this course should follow a prefix: DE- followed by the module number and a short description. Example: DE3-AiTM-Token-Anomaly. This distinguishes your rules from existing rules and makes them easy to identify, review, and clean up.

Use the dev/test approach. For the first 14 days, create every rule in a DISABLED state. Test the query in Advanced Hunting. Review the results. When confident, enable the rule. This prevents false positive alerts from reaching the SOC before you have tuned the rule.

Path 3: Using NE baselines

If you do not have Sentinel access, each module provides: the complete KQL query (which you can read and understand without running it), the expected output format (sample data showing what the query returns), the false positive patterns you would see in the NE environment, and the metric baselines. You can complete the rule specification documents, design the entity mappings, and plan the detection program — all without running a single query. When you later gain access to a Sentinel workspace, you deploy the rules you designed.

Try it yourself

Exercise: Verify your lab environment

Choose your lab path and complete the setup. For Path 1: run the verification query and confirm all four tables return events. For Path 2: confirm your RBAC role and create the naming convention document. For Path 3: download the NE baseline data package from the module downloads section.

If your verification query shows zero events in any table, check the data connector status: Sentinel → Data connectors → [connector name] → Last log received. If "Never," the connector is not configured correctly. Reconnect and wait 30 minutes.

Check your understanding

You are using Path 2 (production environment). You create a new analytics rule that queries SigninLogs for password spray patterns. Before enabling it, what three validation steps should you complete?

Answer: (1) Run the query in Advanced Hunting against the past 30 days of data. Review the results — are there true positive patterns? Are there obvious false positives (service accounts, test accounts, automated processes)? (2) Count the results per day to estimate the alert volume. If the rule would generate 50+ alerts per day, the threshold is too low or the filtering is insufficient. (3) Review 10-20 of the returned events manually — classify each as TP, FP, or benign TP. If the estimated TP rate is below 50%, refine the query before enabling. These three steps are the DE9 testing methodology applied at the point of creation.

Troubleshooting: Common lab setup issues

“The developer tenant expired.” Developer tenants are valid for 90 days and auto-renew if active (any API call or sign-in counts). If it expired, create a new one — the process takes 5 minutes. Your Sentinel workspace and rules will need to be recreated, but the KQL queries from the course are reusable.

“SigninLogs shows zero events.” The Entra ID data connector requires a specific configuration: in Sentinel → Data connectors → Microsoft Entra ID, select “Sign-in logs” AND “Non-interactive user sign-in logs” AND “Audit logs.” All three must be checked. After connecting, sign into the tenant from a browser to generate the first sign-in events. Wait 15-30 minutes for ingestion.

“I cannot create an Azure subscription linked to the developer tenant.” The Azure subscription must be created while signed in as the developer tenant’s global admin. If you are signed in with your personal account or your work account, the subscription will attach to the wrong tenant. Sign out of all accounts, sign in specifically with the developer tenant admin credentials, then create the subscription.

“My organization does not allow Sentinel access for training.” This is common. Use Path 1 (developer tenant) for the course, then adapt and deploy the rules to production using the naming convention and testing approach from Path 2 after the course is complete. The rules and methodology transfer — only the data is different.

📋 Operational Artifact — Lab Environment Checklist

Lab path chosen: [1: Developer Tenant / 2: Production / 3: NE Baselines]
Sentinel workspace: ___ (name) in ___ (resource group)
Data connectors active:
Microsoft Entra ID (SigninLogs + AuditLogs)
Microsoft 365 (OfficeActivity)
Microsoft Defender XDR (SecurityAlert + Device* tables)
Defender for Endpoint onboarded (≥1 device)
Verification query result: ___ tables returning events
Rule naming convention: DE[module]-[short-description]
RBAC role confirmed: [Y/N] — Role: ___
Lab status: [READY / SETUP INCOMPLETE — missing: ___]

References used in this subsection

Microsoft 365 Developer Program documentation (developer.microsoft.com)
Course cross-references: DE1 (rule architecture — where rules get deployed), DE9 (testing methodology — the validation steps before enabling)

You're reading the free modules of Detection Engineering

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← DE0.11 What This Course Builds DE0.13 Module Summary →