This project demonstrates my ability to detect and investigate authentication-based threats using Microsoft Sentinel in a SOC-style workflow. The project involved collecting sign-in logs, creating a KQL detection query, building an analytics rule, and investigating a real incident involving repeated failed login attempts.
The objective of this project is to detect and investigate suspicious authentication activity using Microsoft Sentinel. This includes:
- Collecting authentication logs
- Writing a detection query using KQL
- Creating an analytics rule
- Investigating a generated security incident
- Microsoft Sentinel
- Azure Active Directory (Entra ID)
- Log Analytics Workspace
- Kusto Query Language (KQL)
- Ingested Azure AD sign-in logs into Microsoft Sentinel
- Developed a KQL query to detect multiple failed login attempts
- Created an analytics rule to generate alerts based on the query
- Triggered and analyzed an incident in Microsoft Sentinel
- Investigated sign-in patterns and user activity
- Successfully detected repeated failed login attempts
- Generated an alert and corresponding incident in Microsoft Sentinel
- Performed investigation to validate the alert
- Demonstrated end-to-end SOC workflow from detection to investigation