georgearun1585/Brute-Force-Detection-Incident-Response-Microsoft-Sentinel-MDE-

GitHub: georgearun1585/Brute-Force-Detection-Incident-Response-Microsoft-Sentinel-MDE-

Stars: 0 | Forks: 0

# Brute-Force-Detection-Incident-Response-Microsoft-Sentinel-MDE-

This project demonstrates how SOC teams use Microsoft Sentinel (SIEM) and Microsoft Defender for Endpoint (MDE) telemetry to detect brute-force login attempts against cloud virtual machines, automatically generate incidents, and investigate them using the NIST 800-61 Incident Response Lifecycle.

🎯 What This Project Demonstrates

  • Built a Sentinel scheduled analytics rule to detect repeated failed logons (10+ failures within 5 hours)
  • Mapped entities (Remote IP and Device Name) for investigation-ready alerts
  • Automatically generated Sentinel incidents and grouped alerts to reduce noise
  • Worked the incident end-to-end following NIST 800-61
  • Validated whether brute-force attempts resulted in successful authentication
  • Recommended cloud hardening controls using NSGs and Azure Policy

🧠 MITRE ATT&CK Mapping

Observed Activity ATT&CK Tactic ATT&CK Technique ID
Repeated failed authentication attempts from external IPs Credential Access Brute Force T1110
Targeting exposed RDP/VM login services Initial Access External Remote Services T1133
Attempted authentication against multiple hosts Discovery Network Service Discovery T1046
Post-detection validation of successful logons Credential Access Valid Accounts T1078

🧰 Tools & Technologies

  • Microsoft Sentinel (SIEM)
  • Microsoft Defender for Endpoint (EDR)
  • Log Analytics Workspace
  • KQL (Kusto Query Language)
  • Azure Virtual Machines
  • Network Security Groups (NSGs)
  • NIST 800-61 Incident Response Framework

🧪 Detection Logic Overview

Failed logon events generated on Windows virtual machines are collected by Microsoft Defender for Endpoint and stored in the DeviceLogonEvents table. These events are forwarded to Microsoft Sentinel, where a scheduled analytics rule evaluates whether the same Remote IP has failed authentication against the same Device ten or more times within a five-hour window.

🧯 Incident Response Summary (NIST 800-61)

  • Preparation: Logging, entity mapping, and detection rules in place
  • Detection & Analysis: Sentinel alert and incident generation
  • Containment: NSG lockdown to block public internet access
  • Eradication & Recovery: Verified no successful brute-force logins occurred
  • Post-Incident Activity: Recommended Azure Policy to enforce hardened NSG baselines

🏆 Why This Matters

Brute-force attacks remain one of the most common entry points into cloud environments. This project shows hands-on experience with detection engineering, incident response, and cloud security hardening—core responsibilities of SOC Analysts and Cloud Security Engineers.