Incident Response Case Study – Brute Force Attempt (Simulation)
Overview
This incident response case study documents the detection, analysis, and containment of a brute force attack targeting Remote Desktop Protocol (RDP) services on Azure Virtual Machines. The attack involved multiple external IP addresses attempting to gain unauthorized access through credential brute forcing.
graph LR
A[🔍 Preparation] --> B[🚨 Detection]
B --> C[🔬 Analysis]
C --> D[🛡️ Containment]
D --> E[🧹 Eradication]
E --> F[♻️ Recovery]
F --> G[📊 Post-Incident]
1. Preparation
Readiness Measures
- Documented roles, responsibilities, and IR procedures
- Ensured tools, log sources, and training were in place for response
- Created a Sentinel Scheduled Query Rule to detect brute force attempts
Detection Rule Configuration
Rule: Failed Logins ≥10 in 5 hours
DeviceLogonEvents
| where ActionType == "LogonFailed" and TimeGenerated > ago(5h)
| summarize EventCount = count() by RemoteIP, DeviceName
| where EventCount >= 10
| order by EventCount
Alert Configuration:
- Severity: High
- Frequency: Every 30 minutes
- Threshold: 10+ failed attempts within 5 hours
- Action: Create incident and notify SOC team
2. Detection & Analysis
Initial Findings
Alert Details:
- Trigger Time: 2025-10-03 08:45:00 UTC
- Alert Type: Multiple Failed Authentication Attempts
- Affected Assets: 16 Azure VMs (DWBI-Workstation0-15)
- Source IPs: 10 unique external IP addresses
Initial Hypothesis: Ongoing brute force activity against employee workstations from multiple coordinated attackers.
Attack Timeline
gantt
title Brute Force Attack Timeline
dateFormat HH:mm
section Attack Phase
Initial Attempts :04:00, 2h
Peak Activity :06:00, 1h
Continued Attempts :07:00, 2h
section Response Phase
Alert Triggered :08:45, 15m
Analysis Started :09:00, 30m
Containment Actions :09:30, 1h
Investigation Queries
Query 1: Check for Successful Logons
// Define machines
let TargetDevices = dynamic(["DWBI-Workstation0", "DWBI-Workstation1", "DWBI-Workstation2", "DWBI-Workstation3"]);
// Define suspect IPs
let SuspectIPs = dynamic(["10.0.0.1", "10.0.0.2", "10.0.0.3", "10.0.0.4"]);
DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName in (TargetDevices) and RemoteIP in (SuspectIPs)
| order by TimeGenerated desc
Result: ✅ No successful logons from suspicious external IPs or targeted devices.
Query 2: Detailed Logon Activity Analysis
DeviceLogonEvents
| where RemoteIP in ("92.53.90.248", "194.180.49.127", "185.243.96.116", "185.243.96.107", "185.156.73.169", "178.128.95.238", "154.94.234.47", "148.72.141.37", "141.98.11.143", "10.0.0.8")
| where ActionType != "LogonFailed"
| summarize LoginCount = count(), FirstLogin = min(TimeGenerated), LastLogin = max(TimeGenerated) by DeviceName, AccountName, LogonType, RemoteIP
| order by LastLogin desc
Key Findings
| Finding | Status | Risk Level |
|---|---|---|
| Successful logons from public IPs | None detected | Low |
| Failed login attempts | 10+ per IP | Medium |
| Internal IP activity (10.0.0.8) | Unusual pattern | Medium |
| Compromised credentials | No evidence | Low |
| Lateral movement | No evidence | Low |
Critical Observations:
- No successful logons from public IPs — all brute-force attempts failed
- All successful logons originated from internal IP
10.0.0.8using LogonType = Network - Internal activity appeared unusual and warranted additional review for potential insider threat or misconfiguration
Attack Pattern Analysis
graph TD
A[External Attackers<br/>10 Public IPs] -->|Failed RDP Attempts| B[Azure VMs<br/>16 Workstations]
C[Internal IP<br/>10.0.0.8] -->|Successful Network Logons| B
B --> D{Security Controls}
D -->|Strong Passwords| E[Attack Failed]
D -->|NSG Rules| F[Limited Exposure]
D -->|MDE Monitoring| G[Detection & Alert]
3. Containment, Eradication & Recovery
Immediate Containment Actions
flowchart LR
A[Alert Received] --> B[Device Isolation]
B --> C[Network Segmentation]
C --> D[AV Scanning]
D --> E[Configuration Review]
Actions Taken:
- Device Isolation
- Isolated 16 VMs via Microsoft Defender for Endpoint (MDE)
- Prevented potential lateral movement
- Maintained forensic evidence integrity
- Malware Scanning
- Initiated comprehensive antivirus scans on all isolated devices
- Full disk scans with Microsoft Defender
- No malware detected
- Network Hardening
- Updated Network Security Group (NSG) rules
- Blocked all RDP access (port 3389) from public internet
- Implemented IP whitelisting for administrative access
Network Security Configuration
Before:
Inbound Rule: Allow RDP (3389) from Any → Any
Risk Level: CRITICAL
After:
Inbound Rule: Deny RDP (3389) from Internet → Any
Inbound Rule: Allow RDP (3389) from [Admin IPs] → VMs
Risk Level: LOW
Policy Recommendations
Immediate Changes:
- ✅ Only allow RDP from trusted, specific IP addresses (e.g., administrator workstation)
- ✅ Implement Azure Bastion Host for secure VM management
- ✅ Enable Multi-Factor Authentication (MFA) for all RDP connections
Long-term Improvements:
- Implement Just-In-Time (JIT) VM Access
- Deploy Conditional Access policies for administrative accounts
- Regular penetration testing and red team exercises
- Enhanced account lockout policies after failed attempts
4. Post-Incident Activity
Enhanced Detection Logic
Created two-tier alerting system:
Alert Tier 1: Failed Login Detection
- Triggers on multiple failed attempts (threshold: 10+)
- Severity: Medium
- Response: Investigation required
Alert Tier 2: Successful Compromise Detection
- Triggers when successful logon follows multiple failures
- Severity: Critical
- Response: Immediate isolation and investigation
Improved Detection Query:
DeviceLogonEvents
| where TimeGenerated > ago(1h)
| summarize
FailedCount = countif(ActionType == "LogonFailed"),
SuccessTime = maxif(TimeGenerated, ActionType == "LogonSuccess")
by AccountName, DeviceName, RemoteIP
| where FailedCount >= 3 and isnotempty(SuccessTime)
| project AccountName, DeviceName, RemoteIP, FailedCount, SuccessTime
| order by SuccessTime desc
Lessons Learned
mindmap
root((Lessons<br/>Learned))
Detection
Early alerting worked
Need faster triage
Automate initial response
Prevention
RDP exposure risk
Implement Bastion
MFA enforcement critical
Response
Isolation effective
Good team coordination
Documentation complete
Improvement
Automate containment
Enhanced playbooks
Regular drills needed
Metrics & Outcomes
| Metric | Value | Target | Status |
|---|---|---|---|
| Time to Detection | 2h 45m | < 1h | 🟡 Needs improvement |
| Time to Containment | 45m | < 30m | 🟢 Within target |
| False Positive Rate | 0% | < 5% | 🟢 Excellent |
| Assets Protected | 16/16 | 100% | 🟢 Success |
| Data Breach | No | No | 🟢 Success |
Conclusion
Incident Summary
This incident demonstrated the effectiveness of proactive monitoring and defense-in-depth strategies. While external attackers launched a coordinated brute force campaign against 16 Azure VMs, the attack was unsuccessful due to:
- Strong password policies preventing credential compromise
- Real-time detection through Microsoft Sentinel
- Rapid containment using Microsoft Defender for Endpoint
- Proper network segmentation limiting attack surface
Key Takeaways
- External Threat Mitigated: Brute-force attempts from 10 public IPs failed to compromise any systems
- Internal Activity Requires Review: Unusual logon patterns from internal IP
10.0.0.8warrant deeper investigation - Configuration Improvements: RDP exposure to the internet represents unnecessary risk
Critical Success Factors
- ✅ Proactive detection through scheduled query rules
- ✅ Layered defenses preventing successful exploitation
- ✅ Rapid response minimizing potential impact
- ✅ Continuous improvement of alerting and response procedures
Action Items
- Implement Azure Bastion for all production VMs
- Investigate internal IP 10.0.0.8 activity patterns
- Deploy MFA for all administrative access
- Conduct tabletop exercise on similar scenario
- Update incident response playbooks based on lessons learned
- Schedule quarterly review of NSG rules and access policies
*Incident Status:** 🟢 CLOSED
*Remediation Status:** 🟢 CLOSED
*Follow-up Required:** YES
This case study underscores the importance of proactive detection, layered defenses, continuous improvement of alerting logic, and proper hardening of remote access pathways in modern cloud environments.