Welcome to Microsoft Defender for Cloud Labs!

Introduction

Our labs project help you get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 3 main tracks, a beginner (level 100/200) and an advanced (level 300+) track. The labs contain several modules cover different pillars such as Cloud Security Posture Management (CSPM) to Cloud Workload Protection (CWP). To start using our labs, you will need to create Azure Trial Subscription which provides you all capabilities for 30 days – so you have to finish this lab at this point to take advantage of the free trial. We continually update the content to include the latest capabilities – please feel free to submit issue for any changes and suggestions.

Skill	Level	Description
Beginner	100	You're starting out and want to learn the fundamentals of Microsoft Defender for Cloud
Intermediate	200	You have some experience with the product but want to learn more in-depth
Advanced	300+	You have lots of experience and are looking to learn about advanced capabilities

Last release notes

• Version 1.0 - General availability of Microsoft Defender for Cloud labs
• Version 2.0 - General availability of Microsoft Defender for Cloud labs version 2 (November 2021)
• Version 3.0 - General availability of Microsoft Defender for Cloud labs version 3 (May 2024)

Modules

Module 1 – Preparing the Environment (L100)

• Creating an Azure Trial Subscription
• Provisioning resources (automation)
• Enabling Microsoft Defender for Cloud

Module 2 – Exploring Microsoft Defender for Cloud (L100)

• Understanding Microsoft Defender for Cloud dashboard
• Exploring Secure Score and Recommendations
• Exploring the Inventory capability

Module 3 – Security Policy (L200)

• Overview of the security policy
• Explore Azure Policy
• Create resource exemption for a recommendation
• Create a policy enforcement and deny
• Create a custom policy

Module 4 – Regulatory Compliance (L200)

• Understanding Regulatory Compliance dashboard
• Adding new standards
• Creating your own benchmark

Module 5 – Improving your Secure Posture (L300)

• Vulnerability assessment for VMs
• Vulnerability assessment for Containers
• Automate recommendations with workflow automation
• Accessing your secure score via ARG
• Creating Governance Rules and Assigning Owners

Module 6 – Microsoft Defender Plans (L300)

• Alert validation
• Alert suppression
• Accessing Security Alerts using Graph Security API

Module 7 – Exporting Microsoft Defender for Cloud information to a SIEM (L200)

• Using continuous export
• Integration with Microsoft Sentinel

Module 8 – Enhanced Security (L300)

• Exercise 1: Enable Defender for Servers Plan 2
• Exercise 2: Using JIT to reduce attack surface
• Exercise 3: Adaptive Application Control
• Exercise 4: File Integrity Monitoring

Module 9 – Defender for Containers (L300)

• Install Docker Desktop
• Download vulnerable image from Docker Hub into the Container Registry
• Investigate the recommendation for vulnerabilities in ACR

Module 10 – GCP (L300)

• Create a GCP project
• Create the GCP connector in Microsoft Defender for Cloud
• Investigate the GCP recommendations

Module 11 – AWS (L300)

• Create an AWS account
• Create an AWS connector for the new AWS account in Microsoft Defender for Cloud

Module 12 – Database Protections (L300)

• Enable Defender for SQL servers on machines plan
• Enable and protect your Azure SQL Databases using Microsoft Defender for Azure SQL Databases
• Enable and protect your Azure Cosmos DB accounts using Microsoft Defender for Azure Cosmos DB
• Enable and protect your OSS RDBs using Microsoft Defender for Open-source relational databases

Module 13 – Defender for APIs (L300)

• Create Azure API Management Service
• Publish an API within API Management
• Enable Defender for API
• Onboard APIs to Defender for APIs
• Explore the Defender for API tile and look at API recommendations in Defender for Cloud
• Trigger an alert "Suspicious user agent detected"
• Explore the Data Classifications coming from Microsoft Purview in the Defender for API tile
• Build query with Cloud Security Explorer with Defender CSPM

Module 14 – Configuring Azure DevOps Connector in Defender for Cloud (L200)

• Preparing the environment
• Creating an Azure DevOps Trial Subscription
• Configuring Azure DevOps Connector
• Configure the Microsoft Security DevOps Azure DevOps Extension
• Install Free extension SARIF SAST Scans Tab
• Configure your pipeline using YAML

Module 15 – Configuring GitHub Connector in Defender for Cloud (L200)

• Preparing the environment
• Creating an GitHub Trial account
• Obtain trial of GitHub Enterprise Cloud account
• Connecting your GitHub organization
• Configure the Microsoft Security DevOps GitHub action

Module 16 - Protecting On-Prem Servers in Defender for Cloud (L300)

• Install Hyper-V which will be used to create the server on your own machine
• Using Hyper-V, confirm that there's a virtual switch already installed on your desktop
• Using Hyper-V, create a VM (virtual machine) which will act as the virtual on-premises server that you will be protecting via Defender for DevOps
• Install the operating system in your VM
• Setup the Azure Arc Rresource provider
• Connect to your VM
• Install Azure Arc on the VM so the VM will be protected by Micrsosoft Defender for Cloud
• Confirm that the "on-prem" server we created is being detected by the Azure portal

Module 17 - Defender CSPM (L200)

• Exercise 1: Preparing the Environment for DCSPM plan
• Exercise 2: Enabling Defender CSPM plan
• Exercise 3: Explore Attack Paths in your Environment
• Exercise 4: Build query with Cloud Security Explorer
• Exercise 5: Assign Governance Rule

Module 18 - Agentless container posture through Defender CSPM (L200)

• Exercise 1: Prepare your environment
• Exercise 2: Investigate internet exposed Kubernetes pods through the Cloud Security Explorer
• Exercise 3: Investigate attack paths

Module 19 – Defender for Storage

• Exercise 1: Preparing the Environment for Defender for Storage plan
• Exercise 2: Create a Storage Account
• Exercise 3: Exclude folder in Windows Security
• Exercise 4: Create EICAR File
• Exercise 5: Upload Malware to a Storage Account
• Exercise 6: Security Alert
• Exercise 7: Configure automation to delete the malicious file based on security alert
• Exercise 8: Code to upload files to storage account and monitor the blob index tag itself
• Exercise 9: Set up "Send scan results to Log Analytics" and read it
• Exercise 10: Function App based on Event Grid events

Module 20 – Contextual Security capabilities for AWS using Defender CSPM

• Exercise 1: Preparing the AWS Environment for Defender CSPM plan
• Exercise 2: Explore Attack Paths in your AWS Environment
• Exercise 3: Build query with Cloud Security Explorer

Module 21 - Contextual Security capabilities for GCP using Defender CSPM

• Exercise 1: Preparing the GCP Environment for Defender CSPM plan
• Exercise 2: Explore Attack Paths in your AWS Environment
• Exercise 3: Build query with Cloud Security Explorer

Module 22 - Integration with Microsoft Defender for Endpoint

• Exercise 1: Enable the integration with Microsoft Defender for Endpoint
• Exercise 2: Connect your on-premises servers via direct onboarding
• Exercise 3: Analyze vulnerability assessment findings in custom workbooks

Module 23 - Data-aware security posture

• Exercise 1: Enabling sensitive data discovery
• (Optional) Exercise 2: Enabling sensitive data discovery for AWS and GCP
• Exercise 3: Configure sensitive data categories
• (Optional) Exercise 4: Import and configure custom sensitive info types and sensitivity labels
• Exercise 5: Upload sensitive data
• Exercise 6: Explore risks with Cloud Security Explorer
• Exercise 7: Identify sensitive resources in Inventory
• (Optional) Exercise 8: Explore risks through attack paths
• (Optional) Exercise 9: Explore sensitive data security alerts
• (Optional) Exercise 10: Data security dashboard investigation

Begin the labs here >

Acronyms

Acronym	Meaning	Description
MDFC	Microsoft Defender for Cloud	Built-in free service which offer limited security for your Azure resources only
CSPM	Cloud Security Posture Management	Automates the identification and remediation of risks across cloud infrastructures. CSPM in Microsoft Defender for Cloud is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more.
CWP	Cloud Workload Protection	Provides workload-centric security protection solutions such as servers, app service, storage, database and more. All CWP capabilities are covered under Microsoft Defender for Cloud.
JIT	Just-in-time	Feature to reduce exposure to attacks while providing easy access when you need to connect to a VM
ARM	Azure Resource Manager	Deployment and management layer that enables you to create, update, and delete resources in your Azure account.
RBAC	Role-based access control	Authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
VA	Vulnerability Assessment	Provides vulnerability scanning for your virtual machines and container registries.
SIEM	Security information and event management	Tool to provide a central place to collect events and alerts, that aggregates data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. For example, Microsoft Sentinel.

Begin the labs here >