Virtualized SOC Sandbox Lab

Windows Server 2022 | Kali Linux | Microsoft Sentinel | KQL | Tenable Nessus

Current Status: Completed

Screenshot of Virtualized SOC Sandbox Lab

Project Overview

This project involved constructing an isolated virtual network to safely emulate a brute-force credential access attack. By utilizing a Kali Linux attack machine and a vulnerable Windows Server instance, I generated live attack telemetry.

The Security Focus

  • Log Ingestion & Analysis: Configured Azure Monitor Agent (AMA) to stream Windows Security Events directly to Microsoft Sentinel.
  • Threat Detection: Wrote custom Kusto Query Language (KQL) scripts to identify anomalies, specifically looking for Event ID 4625 (failed logins) followed rapidly by Event ID 4624 (successful login).
  • Automated Alerting: Engineered Scheduled Query Rules within Sentinel to trigger a Medium Severity incident when the brute-force pattern was detected, generating an Entity Map for incident response.

CURRENT WORK IN PROGRESS