brandonbellamy400-maker/microsoft-sentinel-threat-hunting
GitHub: brandonbellamy400-maker/microsoft-sentinel-threat-hunting
Stars: 1 | Forks: 0
# 🛡️ Microsoft Sentinel SIEM & Identity Threat Hunting Lab
## 🏢 Business Scenario: The Brute-Force Break-In
**Company Problem:** Global enterprise logistics provider *BrandonTech* noticed a massive surge in unauthorized sign-in attempts targeting standard corporate accounts. The IT department was completely blind to these credential-stuffing patterns because authentication data lived exclusively in raw identity dumps inside Microsoft Entra ID, completely detached from a security monitoring framework.
**The Solution:** As a Security Engineer, I architected and deployed a cloud-native **SIEM (Security Information and Event Management)** pipeline using **Microsoft Sentinel**. By establishing a diagnostic data stream from the Identity Provider (IdP) to a central Log Analytics Workspace, I engineered custom **Kusto Query Language (KQL)** hunting queries to automatically isolate, aggregate, and surface brute-force attack signatures before an adversary could achieve initial access.
## 🛠️ Skills and Technologies Demonstrated
* **SIEM Management:** Microsoft Sentinel Workspace Deployment
* **Data Engineering:** Log Ingestion Pipelines & Entra ID Connectors
* **Threat Hunting:** Advanced Data Analysis using Kusto Query Language (KQL)
* **Incident Response:** Authentication Error Mapping (`ResultType 50126`)
## 🚀 Step-by-Step Lab Walkthrough
### Phase 1: Environment & Sandbox Architecture
To ensure zero impact on production assets, I initialized a dedicated Azure sandbox directory. I provisioned enterprise user identities—including a target test profile for `Alice Smith` (`asmith`)—to replicate a standard corporate directory framework exposed to public internet endpoints.
### Phase 2: Deploying the SIEM Log Pipeline
I established a centralized Log Analytics Workspace named `law-sentinel-core` to serve as the structural data retention vault and initialized Microsoft Sentinel on top of the workspace engine.
Next, I opened the Microsoft Sentinel configuration console to map data flows from our primary tenant directory assets.
### Phase 3: Adversarial Threat Simulation
Operating from an isolated browser session, I executed an external adversarial simulation by running a targeted brute-force/credential-harvesting attack—intentionally triggering consecutive failed login sequences against the directory infrastructure to generate explicit audit trails.
### Phase 4: KQL Cyber Hunting & Log Aggregation
I pivoted into the Sentinel Logs console to construct precise, high-visibility detection scripts. I engineered a query targeting the **`50126` ResultType** (the precise cryptographic error code for a bad password entry) to isolate the malicious source IP address and trace user-targeting patterns.
SigninLogs
| where UserPrincipalName contains "admin"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
### Phase 2: Deploying the SIEM Log Pipeline
I established a centralized Log Analytics Workspace named `law-sentinel-core` to serve as the structural data retention vault and initialized Microsoft Sentinel on top of the workspace engine.
Next, I opened the Microsoft Sentinel configuration console to map data flows from our primary tenant directory assets.
### Phase 3: Adversarial Threat Simulation
Operating from an isolated browser session, I executed an external adversarial simulation by running a targeted brute-force/credential-harvesting attack—intentionally triggering consecutive failed login sequences against the directory infrastructure to generate explicit audit trails.
### Phase 4: KQL Cyber Hunting & Log Aggregation
I pivoted into the Sentinel Logs console to construct precise, high-visibility detection scripts. I engineered a query targeting the **`50126` ResultType** (the precise cryptographic error code for a bad password entry) to isolate the malicious source IP address and trace user-targeting patterns.
SigninLogs
| where UserPrincipalName contains "admin"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress