Detecting Real-World Brute Force Attacks with Azure Sentinel 🛡💻

In this project, I deployed a Windows 10 virtual machine (VM) on Microsoft Azure with Remote Desktop Protocol (RDP) exposed to the internet. I connected the VM to Azure Sentinel to monitor and capture live brute force attack attempts.
This gave me hands-on experience seeing real-world attack activity and understanding how cloud-based monitoring works.
🎯 Objectives
Create an Azure VM with RDP open
Connect the VM to Azure Sentinel for monitoring
Observe and document live brute force login attempts
Analyze attacker IPs and visualize their global locations
🛠️ Tools & Technologies
Microsoft Azure (Windows 10 VM)
Azure Sentinel
Log Analytics Workspace
What I Did
Created a Windows 10 VM on Azure and exposed port 3389 for RDP access.
Connected the VM to a Log Analytics workspace and enabled Azure Sentinel.
Monitored the VM and captured login attempt logs via Sentinel.
Collected data on failed RDP login attempts including IP addresses and timestamps.
Visualized attacker IP locations on a global map using Sentinel’s geolocation features.
📸 Screenshots
Screenshot 1: Failed RDP login attempts log
Screenshot 2: World map of attacker IP locations
🔐 Attack Analysis
While monitoring, I observed multiple failed login attempts coming from a variety of IP addresses around the world.
Key observations:
Attackers used common usernames like
admin
andadministrator
.Many IPs attempted several login failures within seconds.
The attacks originated globally, from regions including Asia, Europe, and South America.
Several IPs appeared repeatedly, indicating persistent attack attempts.
What I Learned
This project showed me how quickly and constantly exposed RDP ports attract brute force attacks from all over the world.
Using Azure Sentinel to monitor these attacks in real time provided valuable insight into attacker behavior and the importance of securing exposed services.
🔗 GitHub Project
You can find the full project details and code here:
Live Cyber Attacks Lab
💬 Final Thoughts
This was a powerful learning experience — watching real-time attackers try to break into a system I built. It reminded me why RDP should always be protected, and why monitoring matters in cybersecurity.
Thanks for reading.
Want to connect? Find me on LinkedIn
Subscribe to my newsletter
Read articles from Hadel Issa directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
