This repository contains hands-on labs and detection engineering projects designed to simulate incident response workflows using Microsoft Sentinel. Each lab focuses on a specific threat scenario and aligns with the NIST 800-61 incident handling lifecycle, including preparation, detection, analysis, containment, and remediation.
🔎 Tools featured include Kusto Query Language (KQL), Azure Log Analytics, and Microsoft Sentinel Analytics Rules.
-
🌍 Impossible Travel Detection with Microsoft Sentinel
Identifies suspicious sign-ins from geographically distant locations within short timeframes, suggesting potential credential compromise. Includes Sentinel rule creation, KQL investigation, and full incident response aligned with NIST 800-61. -
⚡ PowerShell Suspicious Web Request Detection
Simulates malicious use of PowerShell to download remote payloads usingInvoke-WebRequest. Walks through Sentinel detection, incident investigation, and response using MDE and NIST 800-61 lifecycle. -
🔐 Brute Force Detection with Microsoft Sentinel
Detects repeated failed login attempts from the same remote IP address using KQL and Sentinel scheduled analytics rules, mapped to MITRE ATT&CK T1110 (Brute Force). -
🗺️ Log Visualizations with Microsoft Sentinel
Geolocates authentication failures, malicious traffic, and unauthorized resource creation using custom KQL queries, IP enrichment with a geoip watchlist, and Sentinel workbook heatmaps. Supports visual threat analysis and correlation of log data across Entra ID and Azure infrastructure.
These labs are structured around the NIST SP 800-61 Rev. 2 guidelines, simulating real-world detection and response processes:
- Preparation – Establish detection rules and telemetry
- Detection & Analysis – Query log data and generate alerts
- Containment, Eradication & Recovery – Simulated or real investigation actions
- Post-Incident Activity – Documentation, closure, and learning
More labs coming soon: Insider Threats, Beaconing, Credential Dumping, and Data Exfiltration scenarios.