Cybersecurity / IT
.jpg)
Building a Cybersecurity Monitoring Simulation in Azure
As part of my hands-on journey into cybersecurity, I designed and implemented a cloud-based monitoring simulation using Microsoft Azure. The goal was to simulate a security operations center (SOC) environment, detect suspicious login behavior, and gain deeper insights into log analysis, SIEM systems, and cloud infrastructure. This project was both a personal challenge and a strategic stepping stone to build technical depth in Azure, Windows Server security, and threat detection workflows using Azure Sentinel.
Introduction
The core of the project consisted of the following components:
-
Microsoft Azure (Free Trial Account with $200 Credit)
-
Virtual Machine (AhsansVM – running Windows 11)
-
Azure Sentinel (SIEM solution to collect and analyze logs)
-
Azure Monitor Agent (Installed on AhsansVM for log forwarding)
-
Log Analytics Workspace (AhsansLogAnalytics – central data repository)
-
Custom Sentinel Analytics Rule (Detect successful RDP logins from non-system users)
System Architecture Overview
Steps
-
Successfully deployed a simulated environment mimicking a small-scale SOC.
-
Azure Sentinel now receives real-time security events from AhsansVM.
-
The custom rule effectively identifies suspicious login behavior (non-system RDP logins).
-
Upon detection, alerts and incidents are automatically generated, providing a visual overview of potential threats within the Sentinel dashboard.
Results
-
Microsoft Azure (Cloud Infrastructure)
-
Azure Virtual Machines
-
Azure Sentinel (SIEM)
-
Azure Monitor Agent
-
Kusto Query Language (KQL)
-
Windows 11 Pro Virtual Machine
Tools and Technologies Used
🛠 Technical Skills Developed
-
Proficiency in Azure cloud architecture, including VM provisioning, resource grouping, and networking.
-
Gained practical knowledge of installing and configuring log forwarding tools (Azure Monitor Agent).
-
Wrote and tested security detection queries using KQL inside Sentinel.
-
Learned to tune and test analytics rules for real-time alerting.
📈 Security Understanding Enhanced
-
Deepened understanding of Windows Security Events, especially Event ID 4624 (logon success).
-
Gained insights into how RDP can be a vector for initial access in real-world cyberattacks.
-
Recognized the importance of excluding system accounts and refining rules to reduce false positives.
Key Lessons Learned
🔍 Enhance Threat Detection
-
Integrate threat intelligence feeds (e.g., Microsoft TI, AlienVault OTX) to enrich log data and detect known IOCs.
🤖 Automate Response Actions
-
Use Azure Logic Apps or playbooks to:
-
Auto-block IPs based on suspicious login attempts.
-
Isolate the VM from the network.
-
Notify administrators via Teams, SMS, or email.
🔧 Expand Monitoring Scope
-
Add file integrity monitoring (FIM) to watch for unauthorized file changes.
-
Implement network traffic analysis tools (e.g., Azure NSG flow logs).
-
Integrate additional VMs to simulate different roles (e.g., a web server or database server under attack).
🔧 Expand Monitoring Scope
-
Leverage Azure ML or Sentinel's built-in UEBA (User and Entity Behavior Analytics) to detect anomalies and patterns that indicate lateral movement or data exfiltration.
Future Enhancements & Expansion Ideas
This project marked a significant milestone in my cybersecurity journey. By building a security monitoring simulation in Azure from the ground up, I demonstrated my ability to plan, deploy, and manage a basic yet effective SIEM solution. It solidified my skills in cloud infrastructure, log analysis, detection engineering, and Windows security. More importantly, it showed me how theory translates into actionable detection in real environments.
I look forward to expanding this simulation into a more robust, scalable security lab that continuously challenges and enhances my capabilities as a future cybersecurity professional.