Build Your Security Operations Home Lab

What you are building

This lab has four layers. Each layer is independent — you can build what you need and skip what you do not.

Layer 1 — Local VMs (required for IR, Triage, Endpoint Security, Linux IR) A Windows 11 VM and an Ubuntu Desktop VM running in VMware Workstation Pro on your host machine. These VMs host the forensic tools, generate investigation artifacts, and serve as the target systems for triage and endpoint security exercises.

Layer 2 — M365 E5 Developer Tenant (required for cloud-focused courses) A free Microsoft 365 E5 developer tenant with 25 user licenses, sample data, and full access to Defender XDR, Entra ID, Exchange Online, and SharePoint. This is where you run KQL queries, configure conditional access policies, build detection rules, and investigate cloud-based attack scenarios.

Layer 3 — Azure Subscription with Sentinel (recommended for detection and hunting courses) A free Azure subscription connected to your developer tenant, with a Log Analytics workspace and Microsoft Sentinel enabled. Free-tier data ingestion (5GB/day) is sufficient for lab exercises. This is where you build analytics rules, run hunting queries, and configure automation playbooks.

Layer 4 — Forensic and Security Toolchain (installed into your VMs) The specific tools each course uses — KAPE, EZ Tools, Volatility 3, Sysmon, Velociraptor, Sysinternals, LiME, and others — installed into the appropriate VMs.

Which layers each course needs

Layer 1 — Local Virtual Machines

Hardware requirements

You need a machine that can run two VMs simultaneously alongside your host OS. The minimum and recommended specs:

If you have 16GB RAM, allocate 6GB to Windows VM and 4GB to Ubuntu VM, leaving 6GB for your host. At 32GB, allocate 8GB to each VM.

Step 1: Install VMware Workstation Pro

VMware Workstation Pro is free for personal use.

1. Go to broadcom.com/products/desktop-hypervisors/workstation-and-fusion
2. Download VMware Workstation Pro for your host OS (Windows or Linux) or VMware Fusion Pro for macOS
3. Install with default settings
4. Accept the license agreement — select “Personal Use”

Alternative: VirtualBox. If you prefer VirtualBox, everything in this guide works identically. Replace “VMware” with “VirtualBox” and “VMDK” with “VDI” in all instructions. VirtualBox is also free: virtualbox.org.

Step 2: Download Windows 11 evaluation VM

Microsoft provides a free 90-day evaluation VM for Windows 11 Enterprise.

1. Go to microsoft.com/en-us/evalcenter/evaluate-windows-11-enterprise
2. Select VMware (or VirtualBox if using that)
3. Download the ZIP file (~20GB)
4. Extract the ZIP — this produces a ready-to-use VM image
5. Open the VM in VMware Workstation (File → Open)
6. When prompted, select “I Copied It”
7. Start the VM and complete Windows setup

VM settings to configure:

After Windows boots:

1
2
3
4
5

# Rename the VM (optional but helps identify it)
Rename-Computer -NewName "LAB-WIN11" -Restart

# Verify Windows version
winver

The 90-day evaluation resets to a 10-day grace period after expiry. You can rearm it once with slmgr /rearm for another 90 days. After that, rebuild from the clean snapshot.

Step 3: Download and configure Ubuntu Desktop VM

1. Go to ubuntu.com/download/desktop
2. Download Ubuntu 24.04 LTS (or latest LTS) ISO
3. In VMware Workstation: File → New Virtual Machine → Typical
4. Select the Ubuntu ISO as the installer disc image
5. Configure: 4–8 GB RAM, 2–4 CPUs, 60 GB disk
6. Complete the Ubuntu installation wizard (create user, set password, set timezone)

After Ubuntu installs:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Update packages
sudo apt update && sudo apt upgrade -y

# Install essential tools
sudo apt install -y net-tools curl wget git python3-pip unzip jq

# Install VMware Tools (or open-vm-tools)
sudo apt install -y open-vm-tools open-vm-tools-desktop

# Take a clean snapshot

Step 4: Configure networking between VMs

Both VMs should use NAT networking (the default). This gives each VM internet access through your host and allows them to communicate with each other on the same NAT subnet.

Verify connectivity:

1
2
3

# On Windows VM — find your IP
ipconfig
# Note the IPv4 address (typically 192.168.x.x)

1
2
3
4
5
6

# On Ubuntu VM — find your IP
ip addr show
# Note the inet address on the primary interface

# Test connectivity to Windows VM
ping <windows-vm-ip>

If you need isolated networking (no internet, VMs talk only to each other), create a Host-Only network in VMware: Edit → Virtual Network Editor → Add Network → Host-Only.

Layer 2 — M365 E5 Developer Tenant

The M365 developer tenant gives you 25 E5 licenses for free. E5 includes Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, Entra ID P2, and all the security features the courses use.

Step 1: Join the Microsoft 365 Developer Program

1. Go to developer.microsoft.com/en-us/microsoft-365/dev-program
2. Sign in with a Microsoft account (create one if needed — use a personal email, not a work account)
3. Click “Join now” and complete the profile
4. Select “Instant sandbox” when offered the choice — this creates a pre-configured tenant with sample users and data
5. Note your admin credentials: admin@<your-domain>.onmicrosoft.com

The sandbox includes 16 sample users with realistic display names, mail, calendar data, and Teams activity. These users populate the sign-in logs, audit logs, and mailbox data that the courses use.

Important: The developer tenant renews automatically as long as you use it for development activity. Running KQL queries, configuring policies, and signing into the portal all count as activity. If you do not use it for 90 days, it expires. Use it regularly.

Step 2: Configure the tenant for security labs

Sign into security.microsoft.com with your admin account.

Enable Defender for Endpoint:

1. Go to Settings → Endpoints → Advanced features
2. Enable: Automated Investigation, Live Response, Live Response for Servers, Live Response unsigned script execution
3. Enable: Allow or block file, Network protection, Web content filtering, Device discovery

Enable audit logging:

1. Go to compliance.microsoft.com → Audit
2. If prompted, click “Start recording user and admin activity”
3. Audit logging takes up to 24 hours to start generating events

Load sample data (if not using instant sandbox):

1. In the Developer Program dashboard, click “Install sample data packs”
2. Install: Users, Mail and Events, SharePoint

Onboard your Windows VM to MDE (optional but recommended for ES course):

1. In security.microsoft.com → Settings → Endpoints → Onboarding
2. Select “Local Script” as the deployment method
3. Download the onboarding package
4. Copy the script to your Windows VM
5. Run PowerShell as Administrator and execute the script
6. Verify: the device appears in Device Inventory within 5–30 minutes

Layer 3 — Azure Subscription with Sentinel

Step 1: Activate Azure free subscription

1. Go to azure.microsoft.com/en-us/free
2. Sign in with the same Microsoft account you used for the developer tenant
3. Complete the sign-up (requires a credit card for verification — you will not be charged within the free tier)
4. You get $200 credit for 30 days plus 12 months of free services

Step 2: Create a Log Analytics workspace

Azure Portal → Create a resource → search "Log Analytics workspace"
→ Create
→ Resource group: Create new → "rg-security-lab"
→ Name: "law-security-lab"
→ Region: UK South (or your nearest region)
→ Review + Create → Create

Step 3: Enable Microsoft Sentinel

Azure Portal → search "Microsoft Sentinel"
→ Create → Select "law-security-lab" workspace
→ Add

Step 4: Connect data sources

In Sentinel → Data connectors:

1. Microsoft 365 Defender — Connect. This brings in MDE alerts, MDO alerts, and Defender XDR incidents
2. Microsoft Entra ID — Connect. Enable: Sign-in logs, Audit logs, Non-interactive sign-in logs, Service principal sign-in logs, Managed identity sign-in logs, Provisioning logs
3. Microsoft 365 — Connect. Enable: Exchange, SharePoint, Teams

Each connector takes 5–15 minutes to start ingesting data. After 24 hours you will have sign-in logs, audit events, and mailbox activity from your sample users flowing into Sentinel.

Step 5: Verify data ingestion

Open Sentinel → Logs (or go directly to the Log Analytics workspace → Logs) and run:

1
2
3
4

SigninLogs
| where TimeGenerated > ago(24h)
| summarize count() by ResultType
| order by count_ desc

If this returns results, your Entra ID connector is working. If it returns nothing, wait 24 hours for the initial ingestion to complete.

For Defender events:

1
2
3

AlertInfo
| where TimeGenerated > ago(7d)
| summarize count() by Title

Free tier limits: The Log Analytics workspace includes 5GB/day free ingestion for the first 31 days, then moves to pay-as-you-go. A developer tenant with 16 sample users generates approximately 50–200MB/day — well within the free tier permanently. Monitor your ingestion with:

1
2
3

Usage
| where TimeGenerated > ago(1d)
| summarize TotalGB = sum(Quantity) / 1000

Layer 4 — Forensic and Security Toolchain

Install tools into the appropriate VM based on which courses you are taking.

Windows VM tools

KAPE (Kroll Artifact Parser and Extractor) Used in: Practical IR, Incident Triage, Endpoint Security

1. Go to kroll.com/en/services/cyber-risk/kape and request the download (free, requires registration)
2. Extract to C:\Tools\KAPE\
3. Verify: C:\Tools\KAPE\kape.exe --help

Eric Zimmerman Tools Used in: Practical IR, Incident Triage

1. Go to ericzimmerman.github.io
2. Download the “Get-ZimmermanTools” PowerShell script
3. Run: .\Get-ZimmermanTools.ps1 -Dest C:\Tools\EZTools
4. This downloads all tools: EvtxECmd, RECmd, PECmd, MFTECmd, AmcacheParser, ShellBags Explorer, Timeline Explorer, and more

Sysmon Used in: Endpoint Security, SOC Operations

1. Download from learn.microsoft.com/en-us/sysinternals/downloads/sysmon
2. Extract to C:\Tools\Sysmon\
3. Download the SwiftOnSecurity config: github.com/SwiftOnSecurity/sysmon-config
4. Install: sysmon64.exe -accepteula -i sysmonconfig-export.xml
5. Verify: Get-Service Sysmon64 should show Running

For the Endpoint Security course, use the NE-tuned Sysmon config from the lab pack instead of the default SwiftOnSecurity config.

Sysinternals Suite Used in: Practical IR, Incident Triage, Endpoint Security

1. Download from learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
2. Extract to C:\Tools\Sysinternals\
3. Add to PATH: [Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Tools\Sysinternals", "Machine")

Velociraptor Used in: Practical IR, Incident Triage, Endpoint Security

1. Go to github.com/Velocidex/velociraptor/releases
2. Download the Windows MSI installer
3. Run the MSI — installs as a service
4. Access the web UI at https://localhost:8889 (default)

WinPMem (memory acquisition) Used in: Practical IR, Incident Triage

1. Go to github.com/Velocidex/WinPmem/releases
2. Download winpmem_mini_x64.exe
3. Save to C:\Tools\Memory\
4. Acquire memory: winpmem_mini_x64.exe memdump.raw (run as Administrator)

Volatility 3 Used in: Practical IR, Incident Triage

1
2
3
4

# Install Python 3.10+ first if not already installed
# Then:
pip install volatility3
vol --help

OSQuery Used in: Endpoint Security

1. Go to osquery.io/downloads
2. Download the Windows MSI
3. Install — the service starts automatically
4. Interactive mode: osqueryi.exe

Ubuntu VM tools

Volatility 3 Used in: Practical Linux IR

1
2
3
4
5

sudo apt install -y python3-pip python3-venv
python3 -m venv ~/volatility3-env
source ~/volatility3-env/bin/activate
pip install volatility3
vol --help

Sleuth Kit Used in: Practical Linux IR

1
2

sudo apt install -y sleuthkit
mmls --help

LiME (Linux Memory Extractor) Used in: Practical Linux IR, Incident Triage

1
2
3
4
5
6

sudo apt install -y build-essential linux-headers-$(uname -r)
git clone https://github.com/504ensicsLabs/LiME.git
cd LiME/src
make
# Load the module to capture memory:
# sudo insmod lime-$(uname -r).ko "path=/tmp/memdump.lime format=lime"

Sysmon for Linux Used in: Endpoint Security (ES13)

1
2
3
4
5

wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y sysmonforlinux
sudo sysmon -accepteula -i

Velociraptor Used in: Practical Linux IR, Incident Triage

1
2
3
4

# Download the latest Linux binary from GitHub releases
wget https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.3-linux-amd64
chmod +x velociraptor-*
sudo mv velociraptor-* /usr/local/bin/velociraptor

Log analysis tools (already installed on most Ubuntu systems)

1
2
3
4
5
6
7

# These should already be available:
grep --version
awk --version
journalctl --version

# Install if missing:
sudo apt install -y gawk

Post-Setup Checklist

Run through this checklist to confirm everything is ready:

Layer 1 — VMs

• VMware Workstation Pro installed and running
• Windows 11 VM boots successfully
• Ubuntu VM boots successfully
• Both VMs have internet access (ping google.com)
• Both VMs can reach each other (ping by IP)
• Clean snapshots taken on both VMs

Layer 2 — M365 Tenant

• Developer tenant created with admin credentials saved
• Sample users visible in Entra ID
• Can sign into security.microsoft.com
• Defender for Endpoint advanced features enabled
• Audit logging enabled

Layer 3 — Sentinel

• Azure subscription active
• Log Analytics workspace created
• Sentinel enabled on workspace
• Data connectors configured (M365 Defender, Entra ID, M365)
• SigninLogs returning data in Logs query

Layer 4 — Tools (Windows)

• KAPE extracted and runnable
• EZ Tools downloaded (Timeline Explorer, EvtxECmd, etc.)
• Sysmon installed and running
• Sysinternals available in PATH
• Velociraptor installed (if needed)
• Volatility 3 installed (if needed)
• WinPMem available (if needed)

Layer 4 — Tools (Ubuntu)

• Volatility 3 installed in venv (if needed)
• Sleuth Kit installed (if needed)
• LiME compiled (if needed)

Maintenance

Windows VM evaluation expiry: The 90-day evaluation expires. Options: revert to clean snapshot and repeat setup, rearm with slmgr /rearm (once), or rebuild. Reverting to snapshot is fastest.

M365 developer tenant renewal: The tenant auto-renews if you use it. Sign in and run a query at least once every 60 days.

Azure free credits: The $200 credit expires after 30 days. After that, you are on pay-as-you-go. Your lab usage (16 sample users, minimal ingestion) costs less than $5/month and often falls within the permanent free tier.

Tool updates: Check for KAPE, EZ Tools, Sysmon, and Velociraptor updates quarterly. Eric Zimmerman publishes tool updates frequently — re-run Get-ZimmermanTools.ps1 to get the latest versions.

Snapshots: Take snapshots before installing major tools or making configuration changes. Name them descriptively: “Post-Sysmon-Install,” “Pre-Lab-Exercise-3.” Snapshots are your undo button.

What to do next

Your lab is ready. Pick your starting course:

New to security operations? Start with Mastering KQL — the KQL skills transfer to every other course.

SOC analyst building detection capability? Start with Detection Engineering — build your first production detection rules.

Investigating incidents? Start with Practical IR — follow the adversary across the hybrid stack.

Engineering the endpoint stack? Start with Endpoint Security Engineering — build the foundation everything else depends on.

First responder handling alerts? Start with Incident Triage — the first 60 minutes of every incident.

Every course’s free modules (Module 0 and Module 1) are accessible without an account. Start reading now.