A structured Threat Hunting and Incident Response (IR) lab designed for hands‑on learning with Microsoft Sentinel and Defender for Endpoint. This lab simulates realistic detection, investigation, and response workflows against common attacker TTPs, making it ideal for blue‑team training, purple‑team exercises, and portfolio demonstration.
- Build a Proactive Hunt Workflow
- Execute Reactive IR Playbooks
- Document and Share
| Tool | Role | Details |
|---|---|---|
| Microsoft Sentinel | SIEM / SOAR | Log Analytics workspace + alerts |
| Defender for Endpoint | EDR on all Windows hosts | Advanced Hunting enabled |
| Azure VM | Endpoint under threat hunt | Windows 10 Pro |
- Kusto Query Language (KQL) for log queries
- Microsoft Sentinel for analytics rules and playbooks
- Microsoft Defender for Endpoint for endpoint telemetry and response
- Microsoft Azure for VM's creation
- 7‑Step Threat Hunting Framework embedded in each scenario
- MITRE ATT&CK Mapping for all simulated adversary behaviors
- Reusable KQL Snippets for rapid deployment into Sentinel
- Read each scenario’s detailed procedure in the corresponding Markdown file.
- TH Scenario 1 – Data Exfiltration from PIP'd employee
- TH Scenario 2 – Suspicious/Unauthorized Tor Usage
- IR Scenario 1 – Internet‑Facing Brute‑Force
- IR Scenario 2 – Suspicious web request
Note
The scenarios and structure provided are examples. Be sure to create your own and improve upon them as needed.
- Preparation – Form hypothesis based on anomalies.
- Data Collection – Ensure ingestion of required tables.
- Analysis – Run KQL to surface anomalies.
- Investigation – Pivot to process/file logs, map to MITRE TTPs.
- Containment – Isolate hosts via Defender for Endpoint.
- Eradication – Remove malicious artifacts, rebuild if necessary.
- Recovery & Improvement – Restore systems, update detection rules, document lessons learned.
Note
This lab is for educational purposes. Never run these techniques or queries against environments where you do not have explicit permission.