Andreus33/Azure-SOC-Threat-Analysis

# Microsoft Sentinel Threat Analysis Lab ## Overview This project demonstrates threat detection, incident investigation, and SIEM engineering using Microsoft Sentinel. ## Objectives - Deploy Microsoft Sentinel - Connect Windows VM logs - Configure Azure Monitor Agent - Create analytics rules - Detect brute-force attacks - Investigate incidents using Sentinel # Environment Architecture Windows VM ↓ Azure Arc ↓ Azure Monitor Agent ↓ Data Collection Rule ↓ Log Analytics Workspace ↓ Microsoft Sentinel # Technologies Used - Microsoft Sentinel - Azure Arc - Azure Monitor Agent (AMA) - Log Analytics Workspace - KQL - Windows Event Logs # Detection Scenarios ## Brute Force Detection - Event ID 4625 - Failed authentication attempts ## PowerShell Detection - Event ID 4688 - EncodedCommand execution # KQL Queries ## Failed Login Detection SecurityEvent | where EventID == 4625 | summarize FailedAttempts=count() by Account, Computer, bin(TimeGenerated,5m) | where FailedAttempts >= 5 ## Successful Login Detection SecurityEvent | where EventID == 4624 # MITRE ATT&CK Mapping | Technique | ID | |---|---| | Brute Force | T1110 | | PowerShell | T1059 | | Valid Accounts | T1078 | # Screenshots ## Sentinel Incident  ## Investigation Graph  # Skills Demonstrated - SIEM Engineering - Threat Hunting - Incident Response - KQL Development - Windows Security Monitoring - Azure Security Operations