Sign In

K0.6 Setting Up Your Lab Environment

1.5-2 hours · Module 0 · Free
Operational Objective
The Lab Requirement: Every module in this course includes hands-on exercises that require running KQL queries against real security data. You need a workspace with security telemetry. This subsection provides three paths depending on your situation: use your production Sentinel workspace (ideal), set up an M365 developer tenant with sample data (free), or use the Azure Data Explorer free cluster with synthetic NE data (zero cost, instant access).
Deliverable: A working environment where you can execute KQL queries against security log data.
Estimated completion: 20-45 minutes (depending on path)

If you have access to your organisation’s Sentinel workspace with at least Reader permissions: this is the best lab environment. You learn KQL against YOUR data, with YOUR tables, in YOUR security context. The queries you write during exercises immediately transfer to your daily work.

THREE LAB PATHS — CHOOSE YOUR ENVIRONMENTPATH 1: PRODUCTION WORKSPACEBest — real data, immediate valuePATH 2: M365 DEVELOPER TENANTFree — sample data, full featuresPATH 3: ADX FREE CLUSTERInstant — synthetic NE data, same KQL

Figure K0.6 — Three lab paths. Each supports the course exercises.

Requirements: Microsoft Sentinel Reader role (or Log Analytics Reader). Access to the Sentinel Logs blade in the Azure portal. If you have Defender XDR access: Advanced Hunting also works for most exercises.

Verification: Open the Sentinel Logs blade. Run: SigninLogs | take 5. If this returns 5 rows: your lab is ready. If it returns an error or zero rows: check your permissions or try Path 2.

Path 2: M365 developer tenant (free)

Microsoft provides free E5 developer tenants at developer.microsoft.com with 25 user licences and sample data packs. This is a full Microsoft 365 environment — Sentinel, Defender XDR, Entra ID — with synthetic users and activity data.

Setup steps:

  1. Register at developer.microsoft.com/en-us/microsoft-365/dev-program
  2. Create an instant sandbox (pre-configured with 25 users and sample data)
  3. In the Azure portal: create a Log Analytics workspace (free tier — 5 GB/day)
  4. Enable Microsoft Sentinel on the workspace (free trial: 31 days, then pay-as-you-go)
  5. Connect data connectors: Entra ID (SigninLogs, AuditLogs), Microsoft 365 (OfficeActivity)
  6. Wait 24-48 hours for data ingestion. Then verify: SigninLogs | take 5

Cost: Free for the developer tenant. Sentinel is free for 31 days on the first workspace. After 31 days: approximately $2-5/month for the minimal data volume of a developer tenant.

Path 3: Azure Data Explorer free cluster (instant)

If you cannot access a Sentinel workspace or set up a developer tenant: use the ADX free cluster at dataexplorer.azure.com. ADX runs the same KQL engine as Sentinel — identical syntax, identical operators. The difference: ADX uses custom table names instead of Sentinel table names.

Setup steps:

  1. Go to dataexplorer.azure.com
  2. Sign in with any Microsoft account (personal or work)
  3. Create a free cluster (100 GB storage, no credit card required)
  4. The course provides a data loading script that creates Sentinel-compatible tables (SigninLogs_CL, DeviceProcessEvents_CL, OfficeActivity_CL) with synthetic NE data

Limitation: ADX table schemas differ slightly from Sentinel. The course notes any differences when they occur. The detection logic and KQL operators are identical — only the table and field names may vary.

Compliance Myth: "Running queries against production data for training purposes violates compliance"

The myth: Using production Sentinel data for KQL learning exercises violates data protection regulations because the analyst is accessing real user data for “non-operational” purposes.

The reality: Security analysts are AUTHORISED to access security telemetry as part of their role. Learning to query the data more effectively IS an operational purpose — it directly improves the analyst’s ability to detect and investigate threats. No compliance framework prohibits analysts from developing their skills using the data they are already authorised to access. If your organisation has a specific policy requiring separate training environments: use Path 2 or Path 3. Most organisations encourage analysts to practice against production data because the skills transfer directly.

Try it yourself

Exercise: Verify your lab environment

Whichever path you chose, run this verification query: SigninLogs | where TimeGenerated > ago(7d) | summarize TotalEvents = count(), UniqueUsers = dcount(UserPrincipalName) | project TotalEvents, UniqueUsers. This tells you: how many sign-in events exist in the last 7 days, and how many distinct users are active. If both numbers are greater than zero: your lab is ready for K1.

Check your understanding

A learner has access to Defender XDR Advanced Hunting but not Sentinel. Can they complete this course?

Answer: Yes — for most modules. Advanced Hunting runs the same KQL engine and shares most tables with Sentinel (DeviceProcessEvents, DeviceFileEvents, IdentityLogonEvents, EmailEvents). Some Sentinel-specific tables (CommonSecurityLog, SecurityAlert, custom tables) are not available in Advanced Hunting. The course notes when an exercise requires Sentinel-specific tables and provides alternative Defender tables where possible. For the 80% of exercises that use shared tables: Advanced Hunting works identically.

Troubleshooting

“I cannot create a developer tenant — my organisation blocks it.” Use Path 3 (ADX free cluster). No organisational approval required — it uses your personal Microsoft account and a standalone cluster that is not connected to any organisation.

“Sentinel shows 0 events in SigninLogs.” The data connector may not be enabled. In Sentinel → Data connectors → search “Azure Active Directory” → ensure the SigninLogs and AuditLogs diagnostic settings are configured. Allow 24-48 hours for initial data ingestion.

Operational Artifact — Lab Verification Checklist

Lab path: [ ] Production workspace | [ ] Developer tenant | [ ] ADX free cluster Verification query result:

  • SigninLogs returns data: ___ events in 7 days
  • DeviceProcessEvents returns data: ___ events
  • OfficeActivity returns data: ___ events Lab status: [ ] Ready for K1

Path 2 detailed setup: M365 developer tenant

The developer tenant setup takes 30-45 minutes and produces a fully functional Sentinel workspace. Here is the step-by-step:

Step 1 — Developer program registration (5 minutes): Navigate to developer.microsoft.com. Sign in with any Microsoft account. Join the M365 Developer Program. Select “Instant sandbox” — this creates a pre-configured E5 tenant with 25 sample users, mailboxes, Teams channels, and SharePoint sites.

Step 2 — Azure subscription (5 minutes): The developer tenant includes an Azure AD tenant but NOT an Azure subscription. Go to portal.azure.com, sign in with the developer tenant admin account. Create a free Azure subscription (requires a credit card for verification — you will not be charged for the free tier). Select the Pay-As-You-Go plan.

Step 3 — Log Analytics workspace (5 minutes): In the Azure portal → Create a resource → “Log Analytics workspace.” Name: “kql-training-workspace.” Region: UK South (or your nearest region). Pricing tier: Pay-As-You-Go (5 GB/day free ingestion).

Step 4 — Enable Sentinel (5 minutes): In the Azure portal → Microsoft Sentinel → Add → select your workspace. Sentinel activates with a 31-day free trial. After the trial: approximately $2-5/month for the developer tenant’s minimal data volume.

Step 5 — Connect data sources (10 minutes): In Sentinel → Data connectors → search “Azure Active Directory.” Configure: SigninLogs (check), AuditLogs (check), NonInteractiveUserSignInLogs (check). Then connect “Microsoft 365” → OfficeActivity (check Exchange, SharePoint, Teams). Each connector takes 2-3 minutes to configure.

Step 6 — Generate activity (5 minutes): Sign in to the developer tenant with several of the 25 sample user accounts. Send emails, create Teams messages, upload files to SharePoint. This generates real OfficeActivity events. Sign-in events generate automatically from these actions.

Step 7 — Wait and verify (24-48 hours): Data connectors take up to 48 hours for initial ingestion. After waiting: run SigninLogs | take 5 in the Sentinel Logs blade. If results appear: your lab is ready.

Path 3 detailed setup: ADX free cluster

For learners who need instant access without Azure setup:

Step 1: Navigate to dataexplorer.azure.com. Sign in with any Microsoft account (personal accounts work).

Step 2: Click “My cluster” → “Create free cluster.” Name it “kql-security-lab.” The cluster provisions in under 60 seconds.

Step 3: In a future course update, we will provide a data loading script that creates Sentinel-compatible tables with synthetic NE data. Until then: the ADX cluster includes sample datasets (StormEvents, PopulationData) that teach KQL operators — the syntax is identical to Sentinel, only the table names and security context differ.

The ADX path is the fastest way to start writing KQL. The Sentinel-specific table knowledge (K7) requires Path 1 or Path 2 — but the fundamental operators (K1-K6) work identically in ADX.

Verifying your lab with a real investigation query

After setting up your lab, run this verification that doubles as your first real investigation:

1
2
3
4
5
6
7
8
9

SigninLogs
| where TimeGenerated > ago(7d)
| summarize
    TotalSignins = count(),
    UniqueUsers = dcount(UserPrincipalName),
    FailedSignins = countif(ResultType != "0"),
    SuccessRate = round(100.0 * countif(ResultType == "0") / count(), 1)
    by bin(TimeGenerated, 1d)
| sort by TimeGenerated desc

This answers 4 questions simultaneously: sign-in volume, unique users, failure count, and success rate per day. If SuccessRate drops below 95% on any day: investigate. This single query uses operators you have not formally learned yet (summarize, countif, round, bin). By K3, you will understand every operator. For now: run it and confirm your lab works.

Maintaining your lab environment

Developer tenant renewal: Microsoft developer tenants expire after 90 days of inactivity. To keep your tenant active: sign in at least once every 90 days and perform some activity (send an email, create a Teams message). The developer program dashboard shows your renewal status.

Sentinel cost management: After the 31-day free trial, Sentinel charges per GB ingested. A developer tenant with 25 sample users generates approximately 50-100 MB/day — costing $0.05-0.10/day ($1.50-3.00/month). To minimise costs: disable data connectors you are not actively using. Re-enable when you need them for a specific module. The workspace retains existing data even when connectors are disabled.

Keeping data fresh: The developer tenant’s sample data generates activity based on the sample user population. For modules that require specific investigation scenarios (K9 investigation patterns, K13 capstone): the course provides synthetic log entries you can import via the Log Analytics Data Collector API. This ensures your lab environment contains the specific attack patterns the exercises reference, regardless of what the sample users generate organically.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Mastering KQL

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← K0.5 What This Course Builds K0.7 Module Summary →