Bilal Farah
Email GitHub LinkedIn

Azure Security Lab Project

Azure Sentinel Defender Log Analytics
2025-09-29

← Back to Projects

Azure Security Lab preview

Overview

This project was about getting started with Microsoft cloud security tools using a single virtual machine in Azure. The goal was simple: spin up a VM, connect it to Microsoft Defender and Microsoft Sentinel, and see how telemetry flows into the cloud. This served as a launch pad for learning the basics of Azure’s security stack without building a full-scale environment.

Key points:

  • One VM hosted in Azure with basic hardening.
  • Defender for Cloud enabled for monitoring.
  • Log Analytics workspace created to collect data.
  • Microsoft Sentinel connected to visualize and respond to alerts.

Skills Gained

This project gave me beginner-level exposure to:

  • Azure VM provisioning and applying security options like NSGs and disk encryption.
  • Microsoft Defender onboarding for endpoint and cloud monitoring.
  • Log Analytics setup and validation of telemetry ingestion.
  • Sentinel basics: connecting a data source, enabling default rules, and exploring workbooks.
  • Security visibility concepts: how endpoint activity becomes log data, alerts, and dashboards.

Walkthrough

1. Setting Up the VM

  • Created a small Windows Server VM in its own resource group.
  • Applied a Network Security Group that only allowed RDP from my IP.
  • Enabled platform encryption and updated the OS right after deployment.
  • Disabled unnecessary services and required strong local admin credentials.

2. Defender for Cloud

  • Turned on Microsoft Defender for Cloud at the subscription level.
  • Onboarded the VM to Defender, which gave security recommendations and real-time monitoring.
  • Verified that alerts and posture checks were flowing to the Azure portal.

3. Log Analytics Workspace

  • Created a Log Analytics workspace and connected the VM through the monitoring agent.
  • Checked that Windows security events and performance logs were showing up.
  • Tuned the data collection to keep things cost-effective.

4. Microsoft Sentinel

  • Enabled Sentinel and attached it to the Log Analytics workspace.
  • Turned on a few default analytic rules to trigger on suspicious logins and RDP attempts.
  • Explored workbooks to visualize event trends and alerts.
  • Created a simple alert-to-email notification to test automated response.

5. Testing the Setup

  • Generated basic test events (failed logins, service restarts) and confirmed they appeared in Sentinel.
  • Practiced using KQL (Kusto Query Language) for simple queries like failed logins by username.
  • Walked through the incident page to see how Sentinel groups alerts into cases.

Closing Thoughts

This was a small but valuable project. By using just one VM, I got comfortable with the workflow of Defender and Sentinel from log collection to alerting. It’s not a production setup, but it gave me the foundation to start exploring Microsoft’s cloud security tools with confidence. From here, the lab can be expanded with more VMs, simulated attacks, and custom playbooks. I plan on creating a more vulnerable vm and exposing it to the internet so I can collect basic telemetry and better learn how to identify and analyize malicious traffic.

← Back to Projects