Site icon

Implementing Microsoft Sentinel and Two simulated threats from scratch! Then see Sentinel in action!

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

What is in this article:




What is this about?

This is a simple and very objective cookbook-style document. The goal is to make you implement a security solution using Azure and M365 Defender to avoid some threats against your IT environment.

This document will guide you from scratch, and the only prerequisite is to have a computer with an internet browser connected to the internet.


What is this NOT about?

This is not intended to replace any Microsoft official document already published.

This is not a hackathon. This is not a Microsoft official lab.

This is not an automated solution based on any available script language such as ARM Template or Biceps.



This instructions guide will make you understand every step in the Security journey by implementing Azure, Microsoft Sentinel, Log Analytics, Microsoft Entra, and Microsoft Defender for Endpoint (EDR).

You can test your security implementation effectiveness through two different simulated attacks, also explained step by step.



We will implement a simple IT Environment to be used to be attacked, then we will implement the Security solutions to avoid and mitigate the attacks, and we will run the simulated attacks. All those implementations will require zero cost, we will use all trial-based licenses for Azure, Sentinel, and Microsoft Defender for Endpoint and for the simulated attacks.




Understanding the Environment


The diagram below represents a common IT solution that contains a hybrid environment and some basic components, such as Virtual Machines. It also contains some Security solutions provided by Microsoft. We will use part of this environment to explain the attacks we will build in this guide and what Microsoft security solutions we will consider to avoid those attacks and capture them as Incidents.



In this guide, we will implement:


  1. Azure subscription, where we will run Security services + two Virtual Machines for our tests.


  1. Log Analytics, the log repository.


  1. Microsoft Sentinel, the Microsoft SIEM solution, is running in the cloud.


  1. Microsoft Defender for Cloud, a security solution to review Security recommendations.


  1. Microsoft Entra includes Entra ID (rebranded name for Azure AD tenant) + Entra Identity Protection.


  1. Microsoft Defender for Endpoint (EDR), part of M365 Defender. It offers protection to endpoints (VMs, Servers, workstations), through the portal “”.


  1. Virtual Machines. It will have two VMs. One to be attacked and one to be used by the two simulated attacks.


  1. Threat Actor (Simulated attacks). This bad actor will be using one of the VMs running on Azure.



1. Azure Subscription


To create our Azure subscription, you will need to create a new Microsoft account.


STEP 1 – Create your email account (Microsoft account)

  1. Using your internet browser, go to:
  2. Click on “Create a free account.”
  3. Follow all the steps until you have your brand-new Microsoft account.


NOTE: we are doing this, so you run a totally isolated environment that will not require any of your company credentials.


STEP 2 – Create your Azure (free) subscription

  1. Go to this link:
  2. click on the “Start free” button.
  3. sign in with the account you created in step 1.
  4. Fill out all the fields.


a. You will be asked for a cell phone number to which you must access.

b. You will be asked for credit card information.

c. If you were asked for technical support, select the option “no technical support.”

d. If you prefer, you may try an MSDN Azure subscription through this link: and select one of the free Azure subscriptions available


  1. Once the Azure subscription is created, you will be asked to sign in. Use the account created during step 1.
  2. You will have access to the “quick start center” screen. You may close that screen unless you want to follow some of the information provided.
  3. You are in the Azure! You must have a screen like this below.




2. Log Analytics


STEP 1 – create Log Analytics

Log Analytics is mandatory to have Microsoft Sentinel. It holds all the logs ingested used by Sentinel.


  1. In your Azure subscription, go to the search bar at the top of the screen, and search for “Log Analytics workspaces.”
  2. Click on it. Then, click on the button “Create log analytics workspaces.”
  3. In the following screen, click on “Create new” under “Resource group” and give a name. E.g., “securityRG”
  4. Under “instance details,” give a name to your Log Analytics (e.g., yournameLAW)
  5. Select a region. Ex.: East US
  6. Click on “review and create,” then “create.” (it takes a few seconds to complete)



3. Microsoft Sentinel


STEP 1 – create Microsoft Sentinel

Sentinel is the Microsoft SIEM and SOAR (Automation Solution for Incident Response). It runs on top of Log Analytics. No Servers or Storage are required!


  1. In the search box at the top of the screen, search for “Sentinel.” Find it and click on it.
  2. Click on the button “Create Microsoft Sentinel.”
  3. It will show you the Log Analytics that you have just created. Just select it and click on “Add.”


NOTE: don’t click on “Create a new workspace.”


  1. Now you have a Sentinel provisioned with all features! You will have 31 days of a free trial to use Sentinel. Plus, 90 days of log retention with no cost as well.

NOTE: Currently, you have a full Sentinel solution, however, with no logs to work with.




4. Microsoft Defender for Cloud (MDC)


STEP 1 – create Microsoft Defender for Cloud


  1. Microsoft Defender for Cloud is already presented and installed in any Azure subscription. You need to access it.
  2. Go to the three lines in the upper left corner, click on it, and search for “Microsoft Defender for Cloud.”
  3. Click on it, and you will have the solution open. You will want to click on the “Upgrade” button to have a full paid solution (not in the scope of this document), OR you may click on “Skip”, and then have the free tier of the solution, which includes “Recommendations” (see in the left menu)




5. Microsoft Entra


Entra is the new name for the solution that delivers Azure AD Tenant (now called Entra ID) and all the Security services available with Entra, including the free and paid versions.

  1. To access Entra, you may open a new browser and go to:
  2. Sign in with the account user created in this document.
  3. Let’s take the opportunity to create three users we will use during our simulated tests.
  4. Under “Identity,” click on “users,” then “all users.”
  5. Click “New user,” then “Create a new user.”
  6. Call this new user as “admin, as shown in the screen below:


  1. Provide a password. Let all the options be seen on the screen above.
  2. In the next step, “properties,” fill out the field “usage location” at the bottom of the screen.
  3. In the next step, “assignments,” click on “add role” and provide the role of “Global Administrator.”
  4. Click on “Review + Create,” then “Create.”
  5. It will be quick! Then, click on “refresh” to see your new user created.
  6. Repeat the steps from 5 to 10 to create another user called “torbrowser”



Acquiring a free trial license for Entra ID Protection


STEP 1 – get a free trial for Entra ID Protection (aka Azure AD Premium P2)

  1. In your Azure portal (, search for “Azure Active Directory”
  2. In the left menu, click on “Licenses.”
  3. Then, click on “All products” in the left menu
  4. Click on “Try/Buy”
  5. In the right menu, click on the “Activate” button under the “Azure AD Premium P2” option (in blue)


  1. It will take a few minutes, so the license appears on the Azure Active Directory page or Entra portal.
  2. After that, you must go again to the “” portal.
  3. Go to “users,” then “active users,” click on the user called admin@yourtenant..., then in the screen that will appear on the right, click on “licenses and apps”.
  4. You will see the Azure Active Directory Premium P2 license (trial)
  5. Select it. In this way, you will have an admin user with the P2 license.
  6. Click “save changes.”


  1. To confirm that everything worked fine, go to “” … if there is any user signed in, you must sign him out.
  2. Sign in again with the user "admin@yourtenant..."
  1. Go to “Identity” in the left menu, then click “overview”.
  2. In the center screen, under “license,” you will have to see “Azure AD Premium P2”

NOTE: This will be required for our simulated attack.




6. Microsoft Defender for Endpoint


  1. In your Internet browser, go to “”
  2. Sign in with your recently created user on Entra, called (replace “yourentraIDtenant” with the name you have in your tenant)

NOTE: it will ask you to update your password, as this is the first time you will sign in with your new user. (This is not the user you created on Hotmail!!!)


  1. In the Admin center portal, go to “Purchase services” under “Billing,” OR, if you can’t find this option, you will see “Marketplace.”

NOTE: It may take a few minutes to load this page with all the services fully.


  1. In the search field on the right of your screen, search for “defender for endpoint.”


  1. In the result, search for “Microsoft Defender for Endpoint P2 trial”. Click on the button “Details.”
  2. Then, click the “Start a free trial” button

NOTE: This trial will only test integration between MDE and Sentinel. If you get any error in getting the trial, you may skip this step and keep working with the following steps.




7. Virtual Machines (to be used during threat simulation)


We will create two VMs on Azure. One with Windows Server 2019 and another with Windows 10/11.


Windows Server VM

  1. Go to “” and search for “Virtual Machines”
  2. Click on “Create”, then “virtual machine.”
  3. In the tab “basics”:
    1. Create a new resource group
    2. Add a name to your VM
    3. Select the region
    4. Click on “image” and select “windows server 2019 datacenter.”
    5. On “size,” click on “see all sizes,” and choose “B2S”
    6. Under “administrator account”, provide the name and password for the VM OS local user
    7. Leave all the other fields as the default
  4. Under the “disks” tab
    1. Only change the “os disk type” to “standard HDD” and leave all the rest as default.
  5. Under the “Networking” tab
    1. In the first field, “virtual network”, click on “create new” and add a name for your VNET
    2. Check the box “delete public IP and NIC when VM is deleted
    3. Leave all the rest as default
  6. Under the “management” tab
    1. Check the box “auto-shutdown.”
    2. Leave all the rest as default.
  7. Under Monitoring
    1. Set “Diagnostics” as “disabled.”
  8. Skip all other tabs
  9. Then, finally, click on the “Create” button


Windows Client VM

  1. Go to “” and search for “Virtual Machines”
  2. Click on “Create”, “virtual machine.”
  3. In the tab “basics”:
    1. Use the same Resource Group you used to create the Windows Server VM
    2. Add a name to your VM
    3. Select the region
    4. Click on “image” and select “Windows 10 Enterprise version 21H2” (or any other you prefer)
    5. On “size”, click on “see all sizes”, and choose “B2S”
    6. Under “administrator account”, provide the name and password for the VM OS local user
    7. Leave all the other fields as the default
  4. Under the “disks” tab
    1. Only change the “os disk type” to “standard HDD” and leave all the rest as default.
  5. Under the “Networking” tab
    1. In the first field, “virtual network”, select the previous VNET name you created for the first VM Server.
    2. Check the box “delete public IP and NIC when VM is deleted
    3. Leave all the rest as default
  6. Under the “management” tab
    1. Check the box “auto-shutdown.”
    2. Leave all the rest as default
  7. Under Monitoring
    1. Set “Diagnostics” as “disable”
  8. Skip all other tabs
  9. Then, finally, click on the “Create” button

Now we have two VMs that we will need to test our Sentinel environment.




8. Simulated Attacks


We will have to execute some easy steps to run the simulated attacks and then see how to use Sentinel to be protected against them.




For Threat 1 – brute force attack

  1. Set up Sentinel:
    1. Ingest Windows Server logs.
    2. Configure some Sentinel solutions from the Content hub, then on Data Connectors
    3. Configure some of the Analytic queries.
  2. Test the log ingestion from VM Server using Log Analytics or Sentinel
  3. Build a custom analytic query to test the environment against a “Brute force attack.”
  4. Try failed signed-in on the VM Server.
  5. Review the Incident page on Sentinel to validate that Sentinel captures the threat.


For Threat 2 – credential theft (through anonymous access)

  1. Set up Sentinel to:
    1. Ingest logs from Entra Identity Protection (aka Azure AD ID Protection)
    2. Configure some Sentinel solutions from the Content hub, then on Data Connectors
    3. Configure some of the Analytic queries
  2. Through the client VM, open Tor Browser and try to sign on Azure VM Server
  3. Review the Incident page on Sentinel to validate that Sentinel captures the threat



Brute force attack simulation

In this first attack, you can use your laptop or the client VM you provisioned on Azure to simulate the brute force attack. The diagram below explains what we are going to do.



Using our common IT customer environment, we have the bad actor (A1) initiating a brute force attack to try to identify the user account password through multiple sign-in attempts (A2).


However, based on the logs (D1) configured to be ingested on Sentinel, we are setting up our environment to capture this type of threat by configuring Sentinel (D5) data connectors and analytic rules.

Azure AD ID protection (Entra) (D2), Microsoft Defender for Cloud (MDC) (D4), and Microsoft Defender for Endpoint (MDE) (D3) may also offer protection for our Virtual Machine.


 STEP 1 – Configuring Windows Security event logs ingestion on Sentinel

  1. Go to Azure portal at “”
  2. Search for “Sentinel”, then open your Sentinel
  3. Go to “content hub” in the left menu and search for “Windows security events.”
  4. In the bottom right of the screen, click on “Install.”
  5. Once it is installed, go to “Data connectors” in the left menu
  6. Click on “Windows security events via AMA”, then click on “Open connector page” at the bottom right of the screen
  7. Click on “Create data collection rule.”
  8. On the right side of the screen, give a name to your rule
  9. In the “resources” tab, click on “add resource.”
  10. You must see your Resource Group and the VMs you have installed. Select both VMs, then click on “apply.”




  1. Select “All security events”, then next to complete it.

NOTE: This process above will install Azure Monitoring Agent (AMA) in both VMs and start collecting Security event logs from both Windows Server and Client. It will take a few minutes to start appearing the first logs from Windows.


  1. Lastly, go to your Sentinel main page. In the left menu, go to “Logs.”
  2. In the main screen (center), write “SecurityEvent”, then click the button “Run.”
  3. In a few minutes, you have to see some logs appearing on your screen



STEP 2 – configuring the Analytic Query on Sentinel

  1. Go to Azure portal at “”
  2. Search for “Sentinel”, then open your Sentinel
  3. In the left menu, click on “Analytics.”
  4. Click on “Create”, then “Schedule query rule.”
  5. In the new wizard, under the tab “General”, add a name to your new analytic query and a description, and leave all the rest as default
  6. In the tab “set rule logic”, you will add this query below:

SecurityEvent // table to be queried

| where Activity startswith "4625" // where 4625 means failed sign-in

| summarize count() by IpAddress, Computer // columns to be reported

| where count_ >3 // aggregation to determine the brute force as an example


NOTE: This above is a KQL or Kusto Query Language. If you are unfamiliar with KQL, you may start with this link below to learn more about it. KQL is extremely important to understand and work with Sentinel.

Kusto Query Language (KQL) overview | Microsoft Learn


  1. Under “Alert enhancement,” expand “Entity mapping” and set things up as in the screenshot below.

  1. Under “Query Scheduling”, set both fields with 5 minutes, as the screenshot below.


  1. Leave all other fields in the tab “Set rule logic” as the default
  2. Leave the “incident settings” tab as the default
  3. Leave the “automated response” tab as the default
  4. Click on “review and create”, then click on the save button



STEP 3 – simulating the brute force attack

  1. First, ensure your VM server is running by going into the Azure portal and searching for Virtual Machine in the search bar. Click on the Virtual Machine icon, then check if the status of your VM is “running.”
  2. Click in your VM. Under “overview” from the left menu, copy and paste your “public IP address”. You will find this information in the center of the screen, on the right side.
  3. Open an RDP (Remote Desktop Connection) in your Windows. Just typing RDP in your Windows machine (your laptop), in the search field, in the bottom bar.
  4. Make sure your computer is connected to the internet
  5. In the RDP application, type the IP address from your Azure VM Server
  6. Type your local user for the VM that you set up during VM creation … for the password, you will type it WRONGLY for 4 or 5 times repeatedly, as shown on the screen below.



NOTE: This multiple failed sign-in will make Windows Operating System generate a Windows Event ID 4625. These will generate logs that will be sent to Sentinel, and because we created a query to identify this behavior of multiple failed signs in, Sentinel will generate an alert that will be automatically transformed into an Incident with a lot of good insights so you, as a Security Analyst, may use to investigate the threat, by looking at as an example, the IP address that was used to try those failed sign-ins.


STEP 4 – checking for the threat on Sentinel / investigating the threat

  1. Open your Sentinel
  2. In the left menu, click on “Incidents.”
  3. You will have to see a new incident generated, like the screen below.



  1. Click on the incident, then, in the bottom right of the screen (below), click on “view full details.”
  2. You will be able to see the host involved in the threat and also the IP address that initiates the brute force attack.


That completes our test of using Sentinel to act quickly to avoid a possible threat. As a next step (it is not covered in this document), you, as a Security Analyst, could isolate the hosts from your network OR block those IP addresses in your firewall to avoid new attempts to sign in to your VMs.




Theft Credential simulation


Now, for our second threat simulated, let’s pretend that our bad actor was able to acquire a user's credentials from a successful “brute force attack”, then he/she will use the credential to connect anonymously through a ToR browser.

The scenario is almost the same as the previous one (see diagram below), however when the bad actor (A1) connects anonymously in the VM (A2), the AAD ID Protection (D2) will generate an alert and send it to Sentinel (D5).



 STEP 1 – configuring Sentinel to capture the threat

  1. Go to Azure Portal and open your Sentinel
  2. Go to “content hub” and search for “Identity Protection.”


  1. Click on it and install the solution.
  2. Then, after installing it, go to “Data Connector”, click on the button “Refresh”
  3. Select the new Data connector called “Azure Active Directory Identity Protection” and then click on the button “Open connector page.”
  4. You need to click in the button “Connect”, so you will start receiving alerts from Azure Active Directory Identity Protection solution (see below)



Now, we need to prepare the Analytic rule (Kusto Query) that will identify that Sentinel receives an Alert from AAD ID Protection, so Sentinel transforms it into an Incident that you can correlate with other Incidents and investigate deeper.



  1. On the Sentinel page, go to “Analytics”, go to the tab “Rule templates” in the center of the screen, and search for “Identity Protection.”


  1. Click on the button “Create rule” at the bottom of the screen
  2. Just click the “Next” button until you complete the wizard. Leave all fields as default.
  3. Ultimately, your Sentinel should present you with 3 Active rules, like below.



Now we are ready to start the next simulated attack.




 STEP 2 – configuring ToR browser and execute the anonymous sign-in

  1. Go to Azure portal at “”
  2. Search for your Azure VMs
  3. Open your client VM, running Windows 10/11
  4. RDP this VMs using the public IP shown in the overview page of the VM
  5. Once you are inside your VM, open a browser and download the “ToR” browser from this link:

 Tor Project | Download

  1. Download it.

(don’t be afraid! That is the reason you are doing that in an isolated environment)


  1. Open your ToR browser, click in the purple button “Connect”
  2. In the address bar, go to this link:
  3. Sign in with the user you previously created in your Entra ID (aka Azure Active Directory) in this document called “torbrowser”. Use the full name as torbrowser@<yourtenantname>
  4. Enter the password you used during the creation of the user.
  5. You will probably receive a message like that below:


At this point, the sign-in was successful. Azure AD Identity Protection will capture this threat (anonymous sign-in), then AAD ID Protection will generate an alert, which will be forwarded to Sentinel. (we configured all of this in this document)


It will take a few minutes to show up in your Sentinel.


  1. This new incident must appear in your Sentinel under the “incident” page.




Integrating Sentinel with Microsoft Defender for Endpoint (EDR)


In case you are a company that already runs Security through Microsoft 365 Defender for Endpoint, part of the Microsoft XDR solution, you may want to integrate logs and alerts from MDE into Sentinel.

This is supposed to be a very easy task. In this document, we implement a trial version of MDE P2, and so you should be able to execute this integration in your environment created throughout this document.

It is out of scope to run a threat to be captured by MDE and then correlate its alert on Sentinel. However, below are the steps to integrate MDE with Sentinel so that you can test it.


  1. On Azure Portal, go to your Sentinel.
  2. On “Content hub”, select “Microsoft Defender for Endpoint” solution, then click on “Install.”
  3. Go to “Data connectors”, and click on “Refresh.”
  4. Click “Microsoft Defender for Endpoint”, then click “Open connector page.”
  5. You only need to click on the button “Connect”, then you will start receiving Alerts from MDE into Sentinel.


  1. To receive the raw logs from MDE, go back to Sentinel main page, access “Content Hub”
  2. Search for “Microsoft 365 Defender”, select it, then click “install.”
  3. Once installed, go to “Data Connectors”, click on the “Refresh” button.
  1. Select the new data connector, "Microsoft 365 Defender, " then click on “Open connector page.”
  2. You can connect raw logs and select specific tables, as you can see below.


  1. Or you will be able to bring Incidents and Alerts from M365 Defender to your Sentinel by clicking on the button “Connect incidents & alerts.”


Final Considerations


In this document, you built an Azure environment with Sentinel, Log Analytics, Entra ID (aka Azure Active Directory), Microsoft Defender for Cloud, and resources to be used to simulate two types of common threats against a common IT environment so we use Sentinel to capture those threats and transform them in Incidents to be investigated.


As you can see, the environment involves many components and some setups. This is just an overview to help you understand how Sentinel works in the real world.


If you want to learn more about Sentinel and Microsoft Cloud security solutions, see the last topic in this document with some important links about Microsoft Security.




Cleaning up what you built

  1. Go to your Azure portal, search for “Subscriptions.”
  2. Select it. In the overview page, click on “Cancel subscription.”
  3. Provide any reason and select the box to “turn off my resources…”

NOTE: make sure you didn’t generate any cost.


  1. Go to Microsoft 365 Admin center at “” portal
  2. In the left menu, go to “Billing”, then “Your products”. Select both trials, Azure AD Premium P2 and Microsoft Defender for Endpoint P2 trial, and click on “Cancel subscription.”


  1. Once you finish them, both will show up as “Disabled” under the column “Subscription status”.



Where to Go Next


What we set up and tested in this document was only a part of the Microsoft Cloud Security solution. If you want to learn more about it, we have many documents that may help in that journey. Or you may contact someone from the Microsoft team to assist you.

It is important you understand that no matter the Security approach you consider, like Zero Trust or Microsoft Cloud Security benchmark or Azure Best Practices, at the end of the day, Microsoft will offer you the same great set of Security solutions to help you get a better Security posture against the most common threats or the ones you are more concerned about.


This next diagram helps you understand the big picture of Microsoft Cloud Security solutions and the different approaches.





Important Links


What is Azure—Microsoft Cloud Services | Microsoft Azure


What is Microsoft Sentinel? | Microsoft Learn

Log Analytics tutorial - Azure Monitor | Microsoft Learn


Kusto Query Language (KQL) overview | Microsoft Learn


What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn


What is Microsoft 365 Defender? | Microsoft Learn


Microsoft Defender for Endpoint | Microsoft Learn


Microsoft Entra documentation | Microsoft Learn


Overview of the Microsoft cloud security benchmark | Microsoft Learn


What is Zero Trust? | Microsoft Learn


Feebacks? Send it to Rudnei Oliveira, 


Exit mobile version