Kindfire73 Lab
This is a training environment for customers. All accounts and data are generated and for training purposes only.
Lab Overview​
This SOC lab environment provides analysts with hands-on experience performing security investigations using Legion recording, guided and autonomous investigation modes. The lab is equipped with Microsoft security tools and a ticketing system for realistic incident response workflows.
Available Tools & Access Links​
| Tool/Service | Access URL | Security Control Type |
|---|---|---|
| Defender Suite & Microsoft Sentinel | security.microsoft.com | EDR, Email Protection, UEBA |
| Entra ID | entra.microsoft.com | IDP |
| Intune | intune.microsoft.com | MDM |
| Purview | purview.microsoft.com | DLP, DSPM, Insider threat protection |
| Jira Ticketing System | Jira Incidents | SOC Incident Queue |
Login Credentials​
SOC Analyst Account​
Use this account to perform security investigations and access all SOC tools:
- Username:
soc-analyst@kindfire73.onmicrosoft.com - Password: will be shared with a dedicated customer's personnel.
Victim Employee Accounts​
These accounts represent end users in threat attack scenarios scenarios:
| User Account | Details |
|---|---|
john.doe@kindfire73.onmicrosoft.com | Has an enrolled Windows 11 device named "win11-john-doe" |
jessica.miller@kindfire73.onmicrosoft.com | Standard user account (no registered/enrolled devices) |
Attack Scenarios (Continuously launched rehydrating the environment with logs, alerts and incidents)​
The lab environment includes three realistic threat scenarios with complete telemetry, alerts, and incidents pre-ingested across all relevant tools:
1. Account Takeover​
- Alert Type: Anomalous sign-in alert
- Description: Suspicious authentication activity indicating potential account compromise
- Data Sources: Entra ID sign-in logs, Microsoft Sentinel, Defender XDR
2. Phishing Attack​
- Alert Type: Defender for Office 365 alert
- Description: Malicious email campaign targeting employees
- Data Sources: Defender for Office 365, Email logs, Microsoft Sentinel, Defender XDR
3. Malware Detected​
- Alert Type: Defender for Endpoint alert
- Description: Malware execution detected on a corporate device
- Data Sources: Defender for Endpoint, device events, Microsoft Sentinel, Intune, Defender XDR
Each scenario includes:
- Complete log data across all relevant Microsoft security tools
- Correlated incidents and alerts in Microsoft Defender XDR which are sent to Jira
- Supporting telemetry for comprehensive investigation
Investigation Capabilities​
- Legion Recording Mode: Record investigation flow to capture the entire traige process performed by an analyst for learning and investigation summary purposes.
- Legion Guided Mode: Deterministic workflow automation per use case that will be automatically created from recording sessions.
- Legion Autonomous Mode: Incidents in Jira queue will be automatically investigated and handled by the relevant workflow.
Getting Started​
- Log in to security.microsoft.com using the Microsoft SOC analyst credentials
- Download Legion extension
- Log in to app.legionsecurity.com using the Legion App SOC analyst credentials
- Log in within Legion extension using the same Legion App SOC analyst credentials.
- Access Jira incidents queue and start investigating (SSO login with your Microsoft SOC analyst account)!
- Enable Legion recording to capture investigation steps for documentation