Our labs project help you get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 3 main tracks, a beginner (level 100/200) and an advanced (level 300+) track. The labs contain several modules cover different pillars such as Cloud Security Posture Management (CSPM) to Cloud Workload Protection (CWP). To start using our labs, you will need to create Azure Trial Subscription which provides you all capabilities for 30 days – so you have to finish this lab at this point to take advantage of the free trial. We continually update the content to include the latest capabilities – please feel free to submit issue for any changes and suggestions.
Skill | Level | Description |
---|---|---|
Beginner | 100 | You're starting out and want to learn the fundamentals of Microsoft Defender for Cloud |
Intermediate | 200 | You have some experience with the product but want to learn more in-depth |
Advanced | 300+ | You have lots of experience and are looking to learn about advanced capabilities |
- Version 1.0 - General availability of Microsoft Defender for Cloud labs
- Version 2.0 - General availability of Microsoft Defender for Cloud labs version 2 (November 2021)
- Version 3.0 - General availability of Microsoft Defender for Cloud labs version 3 (May 2024)
Module 1 – Preparing the Environment (L100)
- Creating an Azure Trial Subscription
- Provisioning resources (automation)
- Enabling Microsoft Defender for Cloud
Module 2 – Exploring Microsoft Defender for Cloud (L100)
- Understanding Microsoft Defender for Cloud dashboard
- Exploring Secure Score and Recommendations
- Exploring the Inventory capability
Module 3 – Security Policy (L200)
- Overview of the security policy
- Explore Azure Policy
- Create resource exemption for a recommendation
- Create a policy enforcement and deny
- Create a custom policy
Module 4 – Regulatory Compliance (L200)
Module 5 – Improving your Secure Posture (L300)
- Vulnerability assessment for VMs
- Vulnerability assessment for Containers
- Automate recommendations with workflow automation
- Accessing your secure score via ARG
- Creating Governance Rules and Assigning Owners
Module 6 – Microsoft Defender Plans (L300)
Module 7 – Exporting Microsoft Defender for Cloud information to a SIEM (L200)
Module 8 – Enhanced Security (L300)
- Exercise 1: Enable Defender for Servers Plan 2
- Exercise 2: Using JIT to reduce attack surface
- Exercise 3: Adaptive Application Control
- Exercise 4: File Integrity Monitoring
Module 9 – Defender for Containers (L300)
- Install Docker Desktop
- Download vulnerable image from Docker Hub into the Container Registry
- Investigate the recommendation for vulnerabilities in ACR
- Create a GCP project
- Create the GCP connector in Microsoft Defender for Cloud
- Investigate the GCP recommendations
- Create an AWS account
- Create an AWS connector for the new AWS account in Microsoft Defender for Cloud
Module 12 – Database Protections (L300)
- Enable Defender for SQL servers on machines plan
- Enable and protect your Azure SQL Databases using Microsoft Defender for Azure SQL Databases
- Enable and protect your Azure Cosmos DB accounts using Microsoft Defender for Azure Cosmos DB
- Enable and protect your OSS RDBs using Microsoft Defender for Open-source relational databases
Module 13 – Defender for APIs (L300)
- Create Azure API Management Service
- Publish an API within API Management
- Enable Defender for API
- Onboard APIs to Defender for APIs
- Explore the Defender for API tile and look at API recommendations in Defender for Cloud
- Trigger an alert "Suspicious user agent detected"
- Explore the Data Classifications coming from Microsoft Purview in the Defender for API tile
- Build query with Cloud Security Explorer with Defender CSPM
Module 14 – Configuring Azure DevOps Connector in Defender for Cloud (L200)
- Preparing the environment
- Creating an Azure DevOps Trial Subscription
- Configuring Azure DevOps Connector
- Configure the Microsoft Security DevOps Azure DevOps Extension
- Install Free extension SARIF SAST Scans Tab
- Configure your pipeline using YAML
Module 15 – Configuring GitHub Connector in Defender for Cloud (L200)
- Preparing the environment
- Creating an GitHub Trial account
- Obtain trial of GitHub Enterprise Cloud account
- Connecting your GitHub organization
- Configure the Microsoft Security DevOps GitHub action
Module 16 - Protecting On-Prem Servers in Defender for Cloud (L300)
- Install Hyper-V which will be used to create the server on your own machine
- Using Hyper-V, confirm that there's a virtual switch already installed on your desktop
- Using Hyper-V, create a VM (virtual machine) which will act as the virtual on-premises server that you will be protecting via Defender for DevOps
- Install the operating system in your VM
- Setup the Azure Arc Rresource provider
- Connect to your VM
- Install Azure Arc on the VM so the VM will be protected by Micrsosoft Defender for Cloud
- Confirm that the "on-prem" server we created is being detected by the Azure portal
Module 17 - Defender CSPM (L200)
- Exercise 1: Preparing the Environment for DCSPM plan
- Exercise 2: Enabling Defender CSPM plan
- Exercise 3: Explore Attack Paths in your Environment
- Exercise 4: Build query with Cloud Security Explorer
- Exercise 5: Assign Governance Rule
Module 18 - Agentless container posture through Defender CSPM (L200)
- Exercise 1: Prepare your environment
- Exercise 2: Investigate internet exposed Kubernetes pods through the Cloud Security Explorer
- Exercise 3: Investigate attack paths
Module 19 – Defender for Storage
- Exercise 1: Preparing the Environment for Defender for Storage plan
- Exercise 2: Create a Storage Account
- Exercise 3: Exclude folder in Windows Security
- Exercise 4: Create EICAR File
- Exercise 5: Upload Malware to a Storage Account
- Exercise 6: Security Alert
- Exercise 7: Configure automation to delete the malicious file based on security alert
- Exercise 8: Code to upload files to storage account and monitor the blob index tag itself
- Exercise 9: Set up "Send scan results to Log Analytics" and read it
- Exercise 10: Function App based on Event Grid events
Module 20 – Contextual Security capabilities for AWS using Defender CSPM
- Exercise 1: Preparing the AWS Environment for Defender CSPM plan
- Exercise 2: Explore Attack Paths in your AWS Environment
- Exercise 3: Build query with Cloud Security Explorer
Module 21 - Contextual Security capabilities for GCP using Defender CSPM
- Exercise 1: Preparing the GCP Environment for Defender CSPM plan
- Exercise 2: Explore Attack Paths in your AWS Environment
- Exercise 3: Build query with Cloud Security Explorer
Module 22 - Integration with Microsoft Defender for Endpoint
- Exercise 1: Enable the integration with Microsoft Defender for Endpoint
- Exercise 2: Connect your on-premises servers via direct onboarding
- Exercise 3: Analyze vulnerability assessment findings in custom workbooks
Module 23 - Data-aware security posture
- Exercise 1: Enabling sensitive data discovery
- (Optional) Exercise 2: Enabling sensitive data discovery for AWS and GCP
- Exercise 3: Configure sensitive data categories
- (Optional) Exercise 4: Import and configure custom sensitive info types and sensitivity labels
- Exercise 5: Upload sensitive data
- Exercise 6: Explore risks with Cloud Security Explorer
- Exercise 7: Identify sensitive resources in Inventory
- (Optional) Exercise 8: Explore risks through attack paths
- (Optional) Exercise 9: Explore sensitive data security alerts
- (Optional) Exercise 10: Data security dashboard investigation
Acronym | Meaning | Description |
---|---|---|
MDFC | Microsoft Defender for Cloud | Built-in free service which offer limited security for your Azure resources only |
CSPM | Cloud Security Posture Management | Automates the identification and remediation of risks across cloud infrastructures. CSPM in Microsoft Defender for Cloud is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. |
CWP | Cloud Workload Protection | Provides workload-centric security protection solutions such as servers, app service, storage, database and more. All CWP capabilities are covered under Microsoft Defender for Cloud. |
JIT | Just-in-time | Feature to reduce exposure to attacks while providing easy access when you need to connect to a VM |
ARM | Azure Resource Manager | Deployment and management layer that enables you to create, update, and delete resources in your Azure account. |
RBAC | Role-based access control | Authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. |
VA | Vulnerability Assessment | Provides vulnerability scanning for your virtual machines and container registries. |
SIEM | Security information and event management | Tool to provide a central place to collect events and alerts, that aggregates data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. For example, Microsoft Sentinel. |