This repository documents my Microsoft Sentinel SOC homelab implementation in Azure, built as a practical blue-team project and portfolio artifact.
Lab reference: Microsoft Sentinel SIEM Full Tutorial
- Created core Azure resources (
RG-SOC-Lab, VM, Log Analytics workspace, Sentinel setup) - Added network segmentation with a dedicated virtual network for the lab VM
- Configured a Data Collection Rule (DCR) pipeline from VM -> Windows Event Logs -> Log Analytics
- Connected data sources in Microsoft Sentinel (3 connectors connected)
- Queried and investigated security events with KQL
- Built watchlist-driven enrichment and a workbook visualization
- Documented learning outcomes and implementation challenges
All evidence is in artifacts/screenshots/:
- Resource groups (
NetworkWatcherRGandRG-SOC-Lab) - Virtual machine (
CORP-NET-EAST-1) - Microsoft Sentinel overview (Defender portal)
- Data connectors state
- Log Analytics activity logs
- Security events/incidents generated via KQL
- Watchlist configuration
- Watchlist query result sample
- Workbook visualization
- Data Collection Rule visualizer showing ingestion path
- Virtual network used for VM placement
- Full
RG-SOC-Labresource topology visualization
- Azure resource provisioning and management
- Microsoft Sentinel onboarding and operations
- KQL query writing for investigation and enrichment
- Watchlist usage and workbook visualization
- SOC-style thinking: telemetry, triage, and evidence handling
ABOUT.md- project context, scope, and outcomesSECURITY.md- vulnerability reporting and secret-handling policyartifacts/screenshots/- sanitized implementation evidencenotes/lab-walkthrough.md- concise implementation summarynotes/lessons-learned.md- challenges and key learning points
- No secrets, credentials, keys, or connection strings are committed
- Artifacts are sanitized for public portfolio visibility
- Sensitive local files are excluded through
.gitignore