Azure Cloud SOC Lab

Microsoft Sentinel | Microsoft Defender XDR | Active Directory Attack Simulation

Azure SOC Lab – Full Walkthrough

Overview

This project demonstrates the design and deployment of a cloud based Security Operations Center (SOC) in Microsoft Azure. The lab simulates a real enterprise security monitoring environment using Microsoft Sentinel and Defender XDR to detect and investigate security events generated from Active Directory and Windows endpoints.

The environment includes a domain controller, domain joined client machines, log ingestion through Azure Monitor Agent, security analytics using KQL, and automated incident response through Sentinel playbooks.

Lab Architecture

Components

  • Azure Virtual Network
  • Active Directory Domain Controller (DC01)
  • Windows 10 Client (WIN10)
  • Microsoft Sentinel (SIEM)
  • Microsoft Defender for Endpoint
  • Azure Monitor Agent
  • Log Analytics Workspace
  • Sentinel Analytics Rules
  • Logic App Playbooks

Network

  • Virtual Network
  • Subnet: 172.16.0.0/24
  • DC01 – Domain Controller
  • WIN10 – Domain Joined Endpoint

Lab 1 – Active Directory Deployment

Objective: Build a working Active Directory environment in Azure.

  • Created Azure resource group SOC-LAB-RG
  • Deployed Windows Server 2022 VM (DC01)
  • Configured Active Directory Domain Services
  • Configured DNS server
  • Created domain soclab.local
  • Joined Windows 10 VM to domain

Lab 2 – Domain Authentication & Security Auditing

Objective: Enable Windows audit logging for monitoring security activity.

  • Configured Advanced Audit Policies
  • Logon event monitoring
  • Account management tracking
  • Process creation auditing
  • Kerberos authentication monitoring

Important Event IDs

  • 4624 – Successful logon
  • 4625 – Failed logon
  • 4634 – Logoff
  • 4688 – Process creation
  • 4720–4738 – Account management

Lab 3 – Log Collection with Microsoft Sentinel

  • Created Log Analytics Workspace
  • Connected Microsoft Sentinel
  • Installed Azure Monitor Agent on endpoints
  • Configured Data Collection Rule
Heartbeat | sort by TimeGenerated desc
SecurityEvent | sort by TimeGenerated desc

Lab 4 – Simulated Attack (Brute Force)

Multiple invalid RDP login attempts generated Windows Event ID 4625.

SecurityEvent
| where EventID == 4625
| sort by TimeGenerated desc

Lab 5 – Sentinel Detection Rule

SecurityEvent
| where EventID == 4625
| summarize FailedAttempts = count() by TargetUserName, IpAddress, Computer, bin(TimeGenerated, 5m)
| where FailedAttempts >= 5

MITRE ATT&CK: Credential Access – Brute Force

Lab 6 – Incident Investigation

  • Opened Sentinel incident
  • Investigated user, host, and IP entities
  • Pivoted to Microsoft Defender timeline

Lab 7 – Automated Response (Playbooks)

  • Created Logic App playbook
  • Trigger: Sentinel alert generated
  • Action: Email notification

Lab 8 – Threat Hunting with KQL

SecurityEvent
| where EventID == 4625
| summarize Attempts = count() by TargetUserName

Key Skills Demonstrated

  • Cloud SOC Architecture
  • Microsoft Sentinel SIEM
  • Active Directory Security Monitoring
  • KQL Threat Hunting
  • Detection Engineering
  • Incident Investigation
  • Security Automation

Final Outcome

  • Complete cloud SOC environment deployed
  • Endpoints onboarded to Microsoft Defender
  • Security logs ingested into Sentinel
  • Detection rules triggered incidents
  • Automated response playbooks executed