Developing cyber security detection capabilities using Microsoft Sentinel

Abstract

Cyber security in cloud environments has become increasingly critical due to the rise in credential access attacks, particularly brute force attempts. The objective of this research was to develop and enhance detection capabilities using Microsoft Sentinel, with the help of the MITRE ATT&CK framework. The implementation involved creating and testing various Kusto Query Language (KQL) queries and analytics rules to identify suspicious activities, such as failed login attempts and interrupted password resets. The results demonstrated significant improvements in detection capabilities, with the number of active rules increasing from three to ten. The enhanced detection methods provided better visibility into potential brute force attacks, as evidenced by the identification of high peaks in suspicious sign-in events. The conclusions highlight the effectiveness of using the MITRE ATT&CK framework as a systematic tool for improving threat detection in Microsoft Sentinel, offering valuable insights for organizations aiming to strengthen their cyber security posture.