PT1.8 Azure Subscription, Sentinel, and Log Analytics

Step 1: Create an Azure subscription

If you already have an Azure subscription, skip to Step 2. You can use any subscription — the lab resources are isolated in their own resource group.

Go to azure.microsoft.com/free. Sign in with your developer tenant admin account (admin@yourname.onmicrosoft.com).

Follow the signup:

1. Profile — enter your details. A credit card is required for identity verification but won't be charged unless you exceed free credit or explicitly upgrade.
2. Identity verification — phone or text verification
3. Agreement — accept the terms

You get $200 (approximately £160) of free credit for 30 days. This covers the first month of lab use. After the credit expires, the subscription converts to pay-as-you-go — you're only charged for what you use.

Expected monthly cost during active course work:

Azure Lab Cost Breakdown (estimated)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Component                  Daily      Monthly (active)
─────────────────────────  ─────────  ────────────────
Sentinel data ingestion    £0.50–1.50  £15–45
Log Analytics retention    included    included (first 31 days)
Sentinel solution          free        free (pay-per-GB only)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total when actively testing: ~£15–30/month
Total when idle (no testing): ~£0–2/month
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Step 2: Create the resource group

Open the Azure portal. Sign in as your tenant admin.

Via the portal:

1. Search for "Resource groups" in the top search bar
2. Click "+ Create"
3. Fill in:

Subscription:     (your subscription)
Resource group:   rg-purpleteam-lab
Region:           UK South  (or your nearest region)

1. Click "Review + create" → "Create"

Via PowerShell (alternative):

Install-Module Az -Scope CurrentUser -Force
Connect-AzAccount
New-AzResourceGroup -Name "rg-purpleteam-lab" -Location "uksouth"

Step 3: Create the Log Analytics workspace

Log Analytics is where your data lives. Sentinel runs on top of it.

Via the portal:

1. Search for "Log Analytics workspaces"
2. Click "+ Create"
3. Fill in:

Subscription:     (your subscription)
Resource group:   rg-purpleteam-lab
Name:             law-purpleteam
Region:           UK South  (same region as the resource group)
Pricing tier:     Pay-as-you-go (Per GB 2018)  ← this is the default

1. Click "Review + create" → "Create"

Deployment takes 1–2 minutes.

Step 4: Enable Microsoft Sentinel

1. Search for "Microsoft Sentinel" in the portal
2. Click "+ Create" (or "Add")
3. Select law-purpleteam from the workspace list
4. Click "Add"

Sentinel provisions on top of the workspace. This takes 1–2 minutes. You'll land on the Sentinel overview page.

Step 5: Connect data source — Microsoft Defender for Endpoint (MDE)

This connector brings endpoint telemetry (DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents) into Sentinel from your onboarded Windows endpoint.

1. In Sentinel → Content hub → search "Microsoft Defender for Endpoint"
2. Click the solution → Install → wait for install to complete
3. Go to Data connectors → find "Microsoft Defender for Endpoint" → click "Open connector page"
4. Click "Connect"
5. Status changes to "Connected" (may take a few minutes)

Verification:

// Run in Sentinel → Logs
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| count

If the count is greater than 0, endpoint data is flowing. If it returns 0, wait 15 minutes — initial data ingestion can be slow. If still 0 after 30 minutes, check that the endpoint was onboarded in PT1.7 Step 4 (the endpoint must appear in Defender's device inventory).

Step 6: Connect data source — Microsoft Entra ID

This connector brings sign-in logs and audit logs from your M365 tenant.

1. In Sentinel → Content hub → search "Microsoft Entra ID" (may also appear as "Azure Active Directory")
2. Click the solution → Install
3. Go to Data connectors → find "Microsoft Entra ID" → "Open connector page"
4. Under Configuration, check:

☑ Sign-in logs
☑ Audit logs
☑ Non-interactive user sign-in logs  (useful for service principal detection)
☑ Service principal sign-in logs
☑ Managed Identity sign-in logs
☑ Provisioning logs

1. Click "Apply Changes"

Verification:

SigninLogs
| where TimeGenerated > ago(24h)
| count

If you generated a sign-in event in PT1.7 Step 6, this should return at least 1. If empty, sign in as a test user, wait 10 minutes, and query again.

Step 7: Connect data source — Sysmon via Azure Monitor Agent (AMA)

This sends Sysmon events directly from the Windows endpoint to Sentinel. The MDE connector (Step 5) sends processed events to the DeviceProcessEvents table. AMA sends raw Sysmon XML events to the Event table. Having both gives you two views of the same activity — useful for rule development.

Install AMA on the Windows endpoint:

On PT-WIN-ENDPOINT, open PowerShell as administrator:

# Download the AMA installer
Invoke-WebRequest -Uri "https://aka.ms/InstallAzureMonitorAgentWindows" `
    -OutFile "C:\Tools\AMA-Setup.msi"

# Install silently
Start-Process msiexec.exe -ArgumentList "/i C:\Tools\AMA-Setup.msi /qn" -Wait

# Verify the service is running
Get-Service AzureMonitorAgent | Select-Object Status, Name

Status  Name
------  ----
Running AzureMonitorAgent

If the service doesn't appear, reboot the endpoint and check again.

Create a Data Collection Rule (DCR) in Azure portal:

1. In the Azure portal, search for "Monitor" → click "Monitor"
2. Go to Data Collection Rules → "+ Create"
3. Fill in:

Rule name:        dcr-sysmon-purpleteam
Subscription:     (your subscription)
Resource group:   rg-purpleteam-lab
Region:           UK South
Platform type:    Windows

1. Click "Next: Resources" → "+ Add resources"
2. If your endpoint VM is an Azure VM, it appears in the list — select it. If it's a local VM with AMA installed manually, you may need to register it via Azure Arc first (see troubleshooting below).
3. Click "Next: Collect and deliver" → "+ Add data source":

Data source type:  Windows Event Logs
Configuration:     Custom
XPath query:       Microsoft-Windows-Sysmon/Operational!*

1. Click "Next: Destination" → add destination:

Destination type:  Azure Monitor Logs
Subscription:      (your subscription)
Account/namespace: law-purpleteam

1. Click "Review + create" → "Create"

For local VMs (not Azure VMs): if your endpoint is a local VM, you need to register it with Azure Arc to use DCRs. This adds a step:

# On PT-WIN-ENDPOINT — download and run the Azure Arc agent
Invoke-WebRequest -Uri "https://aka.ms/AzureConnectedMachineAgent" `
    -OutFile "C:\Tools\AzureConnectedMachineAgent.msi"
Start-Process msiexec.exe -ArgumentList "/i C:\Tools\AzureConnectedMachineAgent.msi /qn" -Wait

# Connect to Azure Arc
& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect `
    --resource-group "rg-purpleteam-lab" `
    --tenant-id (Get-AzContext).Tenant.Id `
    --location "uksouth" `
    --subscription-id (Get-AzContext).Subscription.Id

After Arc registration, the VM appears in the DCR resource selector.

Verification:

Wait 10–15 minutes after DCR creation, then:

// Check Sysmon events via AMA
Event
| where Source == "Microsoft-Windows-Sysmon"
| where TimeGenerated > ago(1h)
| count

Step 8: Set up a budget alert

Prevent cost surprises:

1. In the Azure portal → Cost Management + Billing → Budgets
2. Click "+ Add"

Budget name:      purpleteam-monthly
Budget amount:    £30 / month
Alert condition:  Actual > 80%  (alerts at £24)
Alert recipients: your email address

1. Click "Create"

Verification checklist

☐ Azure subscription active (free credit or pay-as-you-go)
☐ Resource group rg-purpleteam-lab created
☐ Log Analytics workspace law-purpleteam created
☐ Microsoft Sentinel enabled on the workspace
☐ MDE data connector connected (DeviceProcessEvents has data)
☐ Entra ID data connector connected (SigninLogs has data)
☐ AMA installed on Windows endpoint (service running)
☐ DCR configured for Sysmon events
☐ Sysmon events arriving via AMA (Event table has Sysmon source)
☐ Budget alert configured at £30/month