Home SIEM Lab: Azure Sentinel and Microsoft Defender
Overview
A self-directed project focused on building and managing a security monitoring environment. I configured Azure Sentinel (Cloud-native SIEM) and Microsoft Defender for Cloud to monitor a hybrid infrastructure of Windows and Linux virtual machines.
Key Activities
- Tool Management: Configured Azure Sentinel data connectors for Windows Security Events, Syslog (Linux), and Azure Activity Logs.
- Incident Response: Investigated real-time security events, ranging from brute-force attempts to suspicious process executions.
- Vulnerability Management: Used Microsoft Defender to identify missing patches and misconfigurations, coordinating fixes to improve the security posture.
- Reporting: Documented findings in structured incident response reports (see
incident_report_template.md).
Contents
sentinel_queries.kql: Custom Kusto Query Language (KQL) scripts for threat detection.incident_report_template.md: A template used for documenting security investigations and resolutions.
Technologies Used
- Azure Sentinel (SIEM)
- Microsoft Defender for Cloud
- Kusto Query Language (KQL)
- Azure Monitor / Log Analytics
- Windows & Linux (Ubuntu) VMs