Detecting Real-World Brute Force Attacks with Azure Sentinel 🛡💻

Hadel IssaHadel Issa
2 min read

In this project, I deployed a Windows 10 virtual machine (VM) on Microsoft Azure with Remote Desktop Protocol (RDP) exposed to the internet. I connected the VM to Azure Sentinel to monitor and capture live brute force attack attempts.

This gave me hands-on experience seeing real-world attack activity and understanding how cloud-based monitoring works.

🎯 Objectives

  • Create an Azure VM with RDP open

  • Connect the VM to Azure Sentinel for monitoring

  • Observe and document live brute force login attempts

  • Analyze attacker IPs and visualize their global locations

🛠️ Tools & Technologies

  • Microsoft Azure (Windows 10 VM)

  • Azure Sentinel

  • Log Analytics Workspace

What I Did

  1. Created a Windows 10 VM on Azure and exposed port 3389 for RDP access.

  2. Connected the VM to a Log Analytics workspace and enabled Azure Sentinel.

  3. Monitored the VM and captured login attempt logs via Sentinel.

  4. Collected data on failed RDP login attempts including IP addresses and timestamps.

  5. Visualized attacker IP locations on a global map using Sentinel’s geolocation features.

📸 Screenshots

Screenshot 1: Failed RDP login attempts log

Image Analysis Dataflow

Screenshot 2: World map of attacker IP locations

Image Analysis Dataflow

🔐 Attack Analysis

While monitoring, I observed multiple failed login attempts coming from a variety of IP addresses around the world.

Key observations:

  • Attackers used common usernames like admin and administrator.

  • Many IPs attempted several login failures within seconds.

  • The attacks originated globally, from regions including Asia, Europe, and South America.

  • Several IPs appeared repeatedly, indicating persistent attack attempts.

What I Learned

This project showed me how quickly and constantly exposed RDP ports attract brute force attacks from all over the world.

Using Azure Sentinel to monitor these attacks in real time provided valuable insight into attacker behavior and the importance of securing exposed services.

🔗 GitHub Project

You can find the full project details and code here:
Live Cyber Attacks Lab

💬 Final Thoughts

This was a powerful learning experience — watching real-time attackers try to break into a system I built. It reminded me why RDP should always be protected, and why monitoring matters in cybersecurity.

Thanks for reading.
Want to connect? Find me on LinkedIn

0
Subscribe to my newsletter

Read articles from Hadel Issa directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityAzureSecurity Brute force attacksSIEM

Written by

Hadel Issa
Hadel Issa