Azure-based Suspicious Login Detection System
Overview
This project replicates a real-world Security Operations Center (SOC) environment by simulating, detecting, and alerting on suspicious login activity using Azure Sentinel, Log Analytics, and Logic Apps — all within the Azure Free Tier.
The goal was to simulate threats like:
Multiple failed logins (brute-force attempts)
Logins from unusual locations
Off-hour access behavior
I built a full threat detection pipeline that collects login events, detects anomalies using KQL, triggers alerts automatically, and visualizes the data using an interactive analyst dashboard.
⚙️ Tools & Technologies Used
🔹 Azure Log Analytics – to store and query simulated login logs
🔹 Microsoft Sentinel (SIEM) – to detect threats using analytic rules
🔹 Azure Logic Apps – for automated email alerting
🔹 Python – to simulate realistic login patterns (normal & suspicious)
🔹 Kusto Query Language (KQL) – to write detection queries
🔹 Sentinel Workbooks – to create a dashboard for SOC-style monitoring
📦 Components Built
| Component | Purpose |
|---|---|
| Python Log Generator | Creates randomized login logs (success/failure, IP, time) |
| Log Analytics Workspace | Ingests logs using the Data Collector API |
| Sentinel Detection Rule | Detects brute-force behavior (>5 failed logins/hour) |
| Logic App | Sends alert email when rule is triggered |
| Workbook Dashboard | Visualizes login heatmap, top users/IPs, failed attempts over time |
🌐 Real-World Applications
✅ Simulates what Tier 1 SOC analysts face in a real job
✅ Helps visualize attacker behavior using time-based and user/IP-based queries
✅ Aligns with MITRE ATT&CK tactics like Initial Access (T1078) and Brute Force (T1110)
✅ Fully cloud-based — no need for VMs or expensive tools
✅ Great training environment for SIEM, KQL, and automation tools
💡 Detection Scenarios Covered
Brute-force attack from a single IP
Suspicious access outside of business hours
Logins from geographically restricted regions
Failed login trend spikes
Frequent login attempts for the same account
📊 Dashboard Features
📈 Failed login trend chart (bar graph by time)
👤 Top 5 usernames targeted with failed logins
🌍 Country-level login activity
🕒 Hourly login heatmap
📧 Linked alert with email notification when detection is triggered
⚠️ Challenges Faced
Getting the Data Collector API to correctly ingest JSON logs from Python
Ensuring KQL queries referenced the correct
TimeGeneratedfield instead of custom timestampsInitial confusion with Logic App restrictions when using Gmail — resolved by switching to Outlook
Sentinel’s UI changes (removal of “Add Logic App” from detection rule) required automation rules instead
🧠 What I Learned
How to simulate real-world attacks in a safe environment
Writing efficient and expressive KQL queries
How cloud-native SIEM tools work at scale
How to automate SOC workflows using Logic Apps
How to translate raw data into visual, actionable insights
Description
July 7, 2025