Cloud Security Incident Response: Detecting and Containing a Brute-Force Attack with Microsoft Sentinel

David — Sun, 08 Mar 2026 12:39:06 +0000

Recently, I documented a real-world cloud security investigation where I used Microsoft Sentinel to detect and contain a potential ransomware attack before full system compromise.

In this case study, I walk through the end-to-end incident response process, including:

🔎 Detecting brute-force authentication attempts
📊 Investigating suspicious identity activity using KQL queries
🧠 Mapping attacker behaviour to the MITRE ATT&CK framework
⚡ Rapid containment of compromised accounts
📉 Reducing Mean Time To Detect (MTTD) to ~30 minutes and containing the threat within ~2.5 hours

The goal of this write-up was to demonstrate how modern cloud SIEM platforms like Microsoft Sentinel can enable proactive threat detection and rapid response in Azure environments.

Cyber threats targeting cloud identities are increasing rapidly, and having strong monitoring, alerting, and threat-hunting capabilities is essential for security teams.

I hope this breakdown helps other SOC analysts, cloud engineers, and security professionals improve their investigation workflows.

Canonical URL:
https://medium.com/@davidud2016/how-i-handled-a-cloud-security-incident-end-to-end-using-microsoft-sentinel-5ed4a301e3ea

Happy to discuss investigation techniques, KQL queries, or Sentinel workflows with anyone working in **cloud security and incident response.

From Compliance to Cyber Resilience — A Practical Security Shift

David — Fri, 06 Mar 2026 11:57:07 +0000

[(https://medium.com/@davidud2016/from-compliance-to-cyber-resilience-514e48a5bd6f)]

TL;DR

Compliance ≠ Security

Resilience = Risk-based + Adaptive controls

Automation bridges detection and response

Monitoring must be continuous and meaningful

Compliance Limitations

Compliance frameworks such as ISO 27001, NIST CSF, CIS Controls, and regulatory standards play an important role in establishing baseline security practices. They ensure that organisations implement fundamental safeguards such as access controls, logging, encryption, and governance processes.

However, compliance has several limitations when it comes to defending against modern cyber threats.

Static vs Dynamic Threat Landscape

Compliance frameworks are typically reviewed annually or periodically, while cyber threats evolve daily. Attackers constantly modify techniques, exploit new vulnerabilities, and adapt to defensive controls.

For example:

A control requiring multi-factor authentication may pass compliance checks, but attackers may still bypass it through phishing-based session hijacking or MFA fatigue attacks.

Security policies may exist on paper but fail during real-world incidents due to a lack of operational integration.

Checklist Mentality

Compliance-driven security often leads to a checkbox approach where the objective becomes passing audits rather than strengthening the real security posture.

Typical symptoms include:

Controls implemented purely for audit evidence

Limited operational monitoring of controls

Security documentation that does not reflect real system behaviour

Lack of Continuous Assurance

Compliance assessments are snapshot evaluations, not continuous measurements. This creates blind spots between audits where security posture may degrade.

Cyber resilience requires continuous validation, not periodic confirmation.

Risk Prioritisation Framework

One of the biggest weaknesses of compliance-driven security is the tendency to treat all controls equally. In reality, not all risks carry the same probability or business impact.

A resilient security strategy prioritises threats based on risk exposure.

Core Risk Calculation Model

A practical way to prioritise threats is through risk scoring.

Risk Score = Likelihood × Impact × Exploitability
Where:

Likelihood represents the probability of the threat occurring

Impact measures potential business damage

Exploitability reflects how easy it is for attackers to leverage the vulnerability

Example Risk-Based Decision Logic

if risk_score > threshold: initiate_investigation() trigger_response_playbook()

This approach helps security teams:

Focus on high-impact threats first

Reduce alert fatigue

Allocate resources efficiently

Align security priorities with business risk tolerance

Risk Context Enrichment

Modern risk prioritisation also incorporates contextual intelligence, including:

Asset criticality

User privilege level

Threat intelligence indicators

Historical attack patterns

This ensures alerts are evaluated within the broader operational context, not just technical signals.

Adaptive Controls and Automation

Traditional security controls are often static: firewalls block predefined ports, policies enforce fixed rules, and alerts require manual investigation.

Adaptive security introduces dynamic controls that respond to threat signals automatically.

Examples of Adaptive Controls

includes:

Conditional access policies triggered by risky login behaviour
Endpoint isolation when malware activity is detected
Automatic credential revocation following suspicious access patterns
Network segmentation triggered by anomalous traffic patterns

These controls enable organisations to respond in seconds rather than hours.

Automation in Security Operations which is criticalfor scaling security operations in large environments.

Use cases include:

Automated threat enrichment
Incident triage workflows
Response playbooks for common attack patterns
Integration between SIEM, SOAR, and endpoint protection platforms

Automation reduces the workload on analysts while ensuring consistent and rapid response.

Continuous Monitoring

Cyber resilience depends heavily on continuous visibility into systems and activity.

Rather than relying on periodic security checks, organisations must implement monitoring systems capable of detecting threats in real time.

Key Monitoring Approaches
Pattern-Based Detection

Pattern-based detection identifies known malicious behaviour using predefined rules or signatures.

Examples include:

. Repeated failed authentication attempts
. Suspicious IP address activity
. Known malware hash detection

While useful, pattern-based detection alone cannot detect unknown attack techniques

Behavioural Baseline Modelling focuses on identifying deviations from normal system behaviour.

For example:

A user logging in from an unusual geographic location, and A service account accessing systems outside its normal scope

Sudden spikes in database queries

Machine learning models are increasingly used to detect these anomalies.

Security Dashboards and Observability

Security dashboards consolidate signals from multiple systems including:

Identity providers

Cloud infrastructure logs

Endpoint telemetry

Network monitoring tools

SOC teams can visualise the security posture in real time, enabling faster investigation and response.

Incident Readiness and Learning Loops

Cyber resilience does not mean preventing every attack — it means responding effectively and improving continuously.

Incident readiness ensures that organisations can contain and recover from incidents quickly.

Core Components of Incident Readiness

A mature incident response capability includes:

Defined incident response playbooks

Clearly assigned roles and responsibilities

Escalation procedures

Communication plans for stakeholders

Regular incident simulation exercises (such as tabletop scenarios or red-team exercises) help ensure teams are prepared.

Post-Incident Learning

One of the most valuable aspects of cyber resilience is learning from incidents.

Every incident should lead to improvements such as:

Updated detection rules

Improved response workflows

Additional monitoring capabilities

Security architecture adjustments

This creates a continuous learning loop, strengthening the organisation’s security posture over time.

Closing Insight

Moving from compliance-driven security to cyber resilience is not simply a change in tools — it is a fundamental shift in mindset.

Compliance answers the question:

“Do we meet the required controls?”

Cyber resilience answers a more important question:

“Can we detect, respond to, and recover from real-world attacks?”

Organisations that adopt resilience-focused strategies build security programs that adapt to evolving threats while maintaining operational continuity.

Risk Score = Likelihood × Impact × Exploitability
If Risk Score > Threshold → Trigger investigative workflow

Forem: David

Cloud Security Incident Response: Detecting and Containing a Brute-Force Attack with Microsoft Sentinel

From Compliance to Cyber Resilience — A Practical Security Shift