Azure App Assure Support Escalation Engineering Lab

A production-like sandbox for practicing Azure support escalation, security operations, and incident response using Microsoft Sentinel, Defender for Cloud, and automation.

Purpose

This lab demonstrates how to:

• architect a secure Azure App Service environment
• integrate telemetry into Microsoft Sentinel
• build detection rules and incident playbooks
• automate diagnostics and response
• extend with ISV data connectors
• operate a secure, compliant cloud platform

It is designed to prepare for App Assure Support Escalation Engineer and Azure Dev Architect roles.

Quick Start

Prerequisites

• Azure CLI (v2.87+)
• GitHub Actions secrets configured (optional for CI/CD)

Deploy sandbox

az group create -n rg-reliability-demo -l eastus
az deployment group create \
  -g rg-reliability-demo \
  --template-file infra/main.bicep \
  --parameters \
    laWorkspaceName='reliability-demo-law' \
    appInsightsName='reliability-demo-ai' \
    appServicePlanName='reliability-demo-plan' \
    siteName='reliability-demo-web'

Validate workspace access

chmod +x infra/validate-workspace-access.sh
./infra/validate-workspace-access.sh <subscription-id> <workspace-resource-id>

Onboard Sentinel

az deployment group create \
  -g rg-reliability-demo \
  --template-file infra/sentinel-onboarding.bicep \
  --parameters laWorkspaceResourceId='<workspace-resource-id>'

Folder structure

• ai-specs/ — Spec-Driven Development workspace for GitHub Copilot; planning artifacts, standards, and change guidance
• infra/ — Bicep templates for App Service, Log Analytics, Sentinel, diagnostics, custom log tables
• security/ — KQL queries, Sentinel analytic rules, ISV connector POC, watchlist examples
• ops/ — runbooks, playbook templates, incident automation
• ai/ — AI persona prompts for incident response, SRE, threat detection, DevOps
• docs/ — architecture, security hardening, incident plan, security operations workflow
• communication-templates/ — customer-facing incident and postmortem templates
• azure-appservice-reliability-playbook/ — Flask demo app, failure injection, postmortem
• powershell-diagnostic-collector/ — PowerShell script for automated diagnostics
• siem-tuning-mock/ — Sentinel tuning examples, KQL, sample logs
• agentic-ai-troubleshooter/ — prototype AI agent for log analysis

Architecture layers

Application & Infrastructure

• Azure App Service (Python/Linux)
• Application Insights
• Log Analytics Workspace
• Azure Storage (optional)

Monitoring & Security

• Application Insights telemetry
• Azure Monitor diagnostics
• Microsoft Sentinel workspace
• Defender for Cloud
• Custom log tables for ISV data

Automation & Response

• Logic App playbooks for incident response
• GitHub Actions CI/CD pipeline
• PowerShell diagnostics collector
• Sentinel analytic rules and workbooks

Identity & Access

• Azure AD integration
• RBAC role assignments
• Conditional Access (recommended)
• Privileged Identity Management (recommended)

Documentation

• Architecture and design docs
• Incident runbooks and SLOs
• Postmortem templates
• AI-assisted prompt personas
• Security hardening guidelines

Next steps

1. Deploy the sandbox

See "Quick Start" above.

2. Generate test logs

curl https://reliability-demo-web.azurewebsites.net/simulate

3. Query logs in Log Analytics

AppRequests
| where timestamp > ago(1h)
| summarize count() by resultCode

4. Create Sentinel analytic rules

Use security/sample-analytic-rule.kql as a template.

5. Build playbooks

Use ops/playbooks/sentinel-isv-response-playbook.json as a template.

6. Test incident workflow

1. Trigger a simulated incident
2. Sentinel creates an incident
3. Playbook runs automatically
4. Review incident and postmortem

7. Extend with ISV connector

See security/isv-connector-poc.md for custom log ingestion patterns.

Key resources

• Azure Sentinel documentation
• Defender for Cloud
• Azure Monitor Logs / KQL
• Azure Well-Architected Framework
• Microsoft Security Operations Center (SOC) practices

Spec-Driven Development (SDD)

This repository now supports a GitHub Copilot-friendly SDD workspace under ai-specs/.

• Use ai-specs/specs/ to store project standards and documentation rules.
• Use ai-specs/changes/ to capture proposed changes before implementation.
• Use ai-specs/codex.md to guide GitHub Copilot interaction.
• Do not add .claude/, .cursor/, or .codex/ folders in this repository.

Tags and metadata

• Environment: sandbox / dev / production
• Purpose: support-escalation-lab
• Maintainer: Azure App Assure candidate

Notes

• This lab uses free/low-cost SKUs for sandbox. Production should use premium SKUs and scale sets.
• Avoid the managed workspace managed-ai-reliability-demo-ws — use clean, user-controlled resource groups.
• Sentinel onboarding requires Microsoft.SecurityInsights/onboardingStates/write permission without deny assignments.
• See docs/security-hardening.md for production-ready recommendations.

Contributing

This is a personal practice lab. To improve:

1. Clone or fork the repository
2. Create a feature branch
3. Test changes in your sandbox
4. Commit with clear messages
5. Document any new patterns or findings