This project demonstrates an end-to-end SOC analyst investigation workflow, covering alert triage, log analysis, threat hunting, MITRE ATT&CK mapping, incident response, business impact assessment, and executive reporting.
A simulated SIEM alert was investigated for suspicious authentication activity, possible credential compromise, and lateral movement indicators.
This repository includes completed SOC-style case studies that demonstrate alert triage, log analysis, MITRE ATT&CK mapping, incident response thinking, and analyst reporting.
A simulated SOC investigation involving multiple failed RDP logins followed by a successful login from the same external IP address. The case study demonstrates authentication analysis, true positive classification, MITRE ATT&CK mapping, and containment recommendations.
Case Study: Suspicious RDP Login Investigation
A lab-based SOC investigation using telemetry from my Azure Security Operations & Threat Detection lab. This case study focuses on Windows Security Event ID 4625, failed logon analysis, Microsoft Sentinel / Log Analytics investigation workflow, KQL queries, source IP review, MITRE ATT&CK mapping, and defensive recommendations.
Case Study: Azure SOC Failed Logon Investigation
Note: These case studies use simulated or lab-generated security telemetry for portfolio demonstration purposes. No real company logs, customer data, or sensitive information are included.
- SIEM alert triage
- Windows Event Log analysis
- MITRE ATT&CK mapping
- IOC documentation
- Incident timeline creation
- Containment and remediation planning
- Executive incident reporting
- Alert triage
- Log correlation
- Threat hunting
- MITRE ATT&CK mapping
- Incident response actions
- Business impact assessment
- Executive summary
- Evidence documentation
- SIEM alert analysis template
- Incident response report structure
- MITRE ATT&CK mapping table
- IOC tracking table
- Evidence and screenshot reference section
- Executive summary format
This project shows my ability to investigate alerts in a structured way, validate suspicious activity using logs, map attacker behaviour to MITRE ATT&CK, and communicate findings to both technical and non-technical stakeholders.
This SOC assessment is supported by a related hands-on Azure security operations lab.
In that lab, I deployed a Windows VM honeypot in Microsoft Azure, collected Windows Security Events using Azure Monitor Agent, forwarded logs into Log Analytics Workspace, investigated failed logon activity using KQL, enriched source IPs with GeoIP data, and visualized attack origins using a Microsoft Sentinel Workbook.
Related Project: Azure Security Operations & Threat Detection Lab
Focus Areas: Microsoft Sentinel, KQL, Windows Event Logs, Event ID 4625, failed login investigation, GeoIP enrichment, attack map visualization.
Repository: https://github.com/Luekrit/Azure-Security-Operations-Threat-Detection