Day 4 — Monitoring and Threat Detection
Day 4 — Monitoring and Threat Detection
Day 4 starts with a fresh repository containing all resources — App Services, Key Vault, Storage, Log Analytics, Application Insights, and VNet — with monitoring enabled from the start.
Day 4 Start Files
Day 4 labs
Day 4 Solutions
The Day 4 storyline
After proving that you can deliver code securely through a pipeline, the next question is: once your application is running, how do you know it is working, and who is attacking it?
Day 3 established the secure delivery cycle. Day 4 closes the loop by adding the observability and detection layer — the ability to see what is happening inside your infrastructure and applications, to investigate anomalies, and to create automated alerts for suspicious activity.
Day 1: Identity — manage identities, permissions, and secrets
Day 2: Network — configure network segmentation and access controls
Day 3: Automation — implement automated pipelines with security gates
Day 4: Audit — enable monitoring, threat detection, and investigationThis completes the security lifecycle:
Identity → Network → Automation → AuditDay 4 focuses on the last three stages. You will deploy Day 4 infrastructure with monitoring enabled from the start, generate realistic application traffic (including attack patterns), and then use KQL to investigate those events in the Azure portal.
What changes in Day 4
| Resource | Action | Terraform or Portal? |
|---|---|---|
| All resources (App Services, Key Vault, Storage, Log Analytics, App Insights, VNet) | Deployed from Day 4 infrastructure | Terraform (Day 4 repo) |
| Diagnostic settings | Enabled on App Services, Key Vault, Storage | Terraform (via dev.tfvars) |
| Log Analytics workspace | Add daily cap to prevent runaway costs | Azure portal (during lab) |
| Microsoft Sentinel | Enable on Log Analytics workspace | Azure portal (during lab) |
| Azure Activity Log connector | Turn on in Sentinel | Portal |
| Application telemetry | Add correlation IDs and structured logging | Application code changes |
| Security scan reports | Ingest Checkov, Semgrep, Trivy into Log Analytics | Pipeline artifacts |
| Sentinel workbooks | Browse and customize | Portal |
| KQL queries | Write queries for hunting | Portal |
| Custom workbook | Create from scratch | Portal |
| Analytics rule | Create detection rule and investigate | Portal |
Sentinel and daily cap are configured interactively in the Azure portal during the labs. This ensures students understand how to enable these features manually, which is a core operational skill in production.
Day 4 starts with a fresh repository containing all resources. The dev.tfvars file sets enable_diagnostic_settings = true, which creates diagnostic setting resources that route logs to Log Analytics. The pipeline (with Checkov IaC scanning, Semgrep code analysis, and Trivy dependency scanning) produces security reports that can be ingested into Sentinel for unified monitoring.
Architecture
All telemetry flows to a single Log Analytics workspace. Sentinel analyses the data without storing it separately — it is a layer on top of Log Analytics. Security scan reports from the pipeline (Checkov IaC, Semgrep code analysis, Trivy dependencies) are published as pipeline artifacts and can be ingested into Log Analytics for unified monitoring.
What you will learn
After Day 4, you will know how to:
- Enable diagnostic settings to route platform logs to Log Analytics
- Generate application telemetry using correlation IDs and structured logging
- Write KQL queries to discover and investigate log data
- Connect data sources to Microsoft Sentinel for threat detection
- Create analytics rules that detect suspicious patterns
- Build custom dashboards using Sentinel workbooks
- Investigate security incidents through the Sentinel portal
- Set up Azure DevOps audit streaming to Sentinel for supply chain monitoring
- Detect PAT creation, service connection changes, and pipeline modifications
- Correlate DevOps events with Azure infrastructure events for complete attack chain visibility
Day 4 labs
| Lab | Topic |
|---|---|
| Lab 4.1 | Run the pipeline and observe the monitoring baseline |
| Lab 4.2 | Enable diagnostic settings and route infrastructure logs to Log Analytics |
| Lab 4.3 | Add application telemetry with correlation IDs and trace requests |
| Lab 4.4 | Enable Microsoft Sentinel and explore the workspace |
| Lab 4.5 | Hunt through application and infrastructure events using KQL |
| Lab 4.6 | Create an analytics rule and investigate a simulated incident |
| Challenge | Build your own monitoring dashboard, review coverage, and design an analytics rule |
Summary
Day 4 deploys monitoring-enabled infrastructure from scratch, enabling you to monitor activity, investigate events with KQL, and detect threats through Microsoft Sentinel — skills that connect directly to real-world security operations.