Skip to content
/ Defender-Automated-Incident-Lab Public

End-to-end security automation using Microsoft Defender, Sentinel, and Logic Apps to detect, respond, and remediate simulated threats.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

melissajoon/Defender-Automated-Incident-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

12 Commits
Defender
Defender
Β 
Β 
Playbook
Playbook
Β 
Β 
Sentinel
Sentinel
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›‘οΈ Microsoft Defender for Endpoint – Automated Incident Response Lab

This project is a hands-on lab simulating automated incident response using Microsoft Defender for Endpoint, Microsoft Sentinel, and Logic Apps. The purpose is to demonstrate how security alerts can be detected, tagged, and responded to automatically using scalable and practical SOAR capabilities.

πŸ” Lab Objectives

  • Connect a virtual machine to Microsoft Defender for Endpoint.
  • Simulate real-world attacks (e.g., failed logons, brute-force).
  • Detect incidents using Microsoft Sentinel analytics rules.
  • Trigger automated responses using Logic Apps and Automation Rules.
  • Send formatted email alerts containing incident details.

🧰 Tools & Technologies Used

Tool Purpose
Microsoft Defender for Endpoint Endpoint protection & detection
Microsoft Sentinel SIEM for detection & alert correlation
Logic Apps Automated playbook to send email alerts
Azure VM (Windows) Target system for simulating attacks

βš™οΈ How It Works

  1. VM Onboarding
    A Windows VM was onboarded to Microsoft Defender for Endpoint using Microsoft security portal.

  2. Alert Simulation
    Simulated multiple failed logon attempts and brute-force behaviors to trigger alerts.

  3. Analytics Rules
    Custom scheduled rules were created in Microsoft Sentinel to detect:

    • Multiple failed logons
    • Brute force behavior

  4. Automation Rules
    Automation rules were defined to trigger Logic Apps when an alert or incident is created.

  5. Logic App (Playbook)
    The playbook sends an email containing:

    • Alert name
    • Severity
    • Description
    • Alert timestamp
      πŸ’‘ Emails were formatted professionally using HTML.

πŸ“Έ Screenshots

All screenshots from Logic App workflow, automation rule, Sentinel alerts, and sample email are stored in the structured folders above for clarity and traceability.

πŸ“ Project Structure

Defender-Automated-Incident-Lab/
β”‚
β”œβ”€β”€ README.md
β”œβ”€β”€ /Defender
β”‚   β”œβ”€β”€ 3.Defender-Onboard.png
β”‚   β”œβ”€β”€ 4.EICAR-Detection.png
β”‚   └── 5.EICAR-Attack-Graph-Details.png
β”œβ”€β”€ /Playbook
β”‚   β”œβ”€β”€ 6.Logic-App-Design.png
β”‚   β”œβ”€β”€ 7.logic-App-Run
β”‚   β”œβ”€β”€ 8.Automation-Rule.png
β”‚   β”œβ”€β”€ 9.Email-Alert
β”‚   └── 10.Run-History.png
└── /Sentinel
    β”œβ”€β”€ 1.Analytics-Rule.png
    β”œβ”€β”€ 2.Sentinel-Alert.png 
    └── AnalyticsRules.kql

βœ… Outcomes

  • Emails were successfully triggered for each simulated alert.
  • Logic App executed within milliseconds.
  • Demonstrated integration between Microsoft Sentinel and Defender for automated response.

πŸ“¬ Contact

Melissa Jahani
πŸ“§ melissajahani@gmail.com
πŸ”— LinkedIn
πŸ’» GitHub

⭐ Star this repo if you found it helpful, and feel free to contribute ideas or improvements!

About

End-to-end security automation using Microsoft Defender, Sentinel, and Logic Apps to detect, respond, and remediate simulated threats.

Topics

azure incident-response defender siem soc security-automation logic-apps azure-sentinel microsoft-defender

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published