A hands-on lab environment focused on cloud security monitoring using Azure and Splunk. This covers how to collect cloud logs, detect suspicious activity, and build detection rules for the most common cloud attack patterns.
Cloud is where most attacks are happening now. This lab is built to reflect that reality — using Azure as the cloud platform and Splunk as the detection layer.
| Module | Focus | Status |
|---|---|---|
| Azure Log Collection | Getting Azure Activity, Sign-in, and Audit logs into Splunk | ✅ |
| Microsoft Entra ID Monitoring | Detecting suspicious login and identity events | ✅ |
| Azure Defender Alerts | Ingesting Defender for Cloud alerts into Splunk | ✅ |
| Storage Account Monitoring | Detecting unusual access to Blob and File storage | ✅ |
| Privileged Role Changes | Alerting on Azure AD role assignments | ✅ |
| Failed MFA Detections | Spotting MFA fatigue and bypass attempts | ✅ |
Azure Environment
┌─────────────────────────────────────────┐
│ Azure Active Directory / Entra ID │
│ Azure Activity Logs │
│ Microsoft Defender for Cloud │
│ Azure Storage / Key Vault │
└─────────────────────────────────────────┘
↓
Event Hub / Diagnostic Settings
↓
Splunk Add-on for Microsoft Cloud Services
↓
┌──────────────────┐
│ Splunk (SIEM) │
│ Dashboards │
│ Alerts │
│ Threat Hunting │
└──────────────────┘
cloud-security-lab/
├── README.md
├── setup/
│ ├── azure-log-collection-guide.md
│ ├── splunk-addon-setup.md
│ └── event-hub-config.md
├── detections/
│ ├── impossible-travel.spl
│ ├── privileged-role-assignment.spl
│ ├── mfa-failure-spike.spl
│ ├── storage-access-anomaly.spl
│ └── new-service-principal.spl
├── dashboards/
│ ├── azure-overview.xml
│ └── identity-monitoring.xml
└── docs/
├── log-sources-reference.md
└── troubleshooting.md
Flags logins where the same account signs in from two geographically distant locations within a short window — a sign of account compromise or credential sharing.
index=azure sourcetype=azure:aad:signin ResultType=0
| stats values(Location) as locations, values(IPAddress) as ips, dc(Location) as location_count by UserPrincipalName, bin(_time span=1h)
| where location_count >= 2
| mvexpand locations
| stats count by UserPrincipalName, locations, ips
Catches when a user is added to a high-privilege Azure AD role like Global Admin or Security Admin. Every one of these should be reviewed.
index=azure sourcetype=azure:aad:audit OperationName="Add member to role"
| search TargetResources{}.modifiedProperties{}.newValue="*Global Administrator*" OR TargetResources{}.modifiedProperties{}.newValue="*Security Administrator*"
| stats count by InitiatedBy.user.userPrincipalName, TargetResources{}.userPrincipalName, _time
| sort - _time
Repeated MFA failures can mean an MFA fatigue attack — where an attacker spams push notifications hoping the user approves out of frustration.
index=azure sourcetype=azure:aad:signin ResultType=500121
| bucket _time span=10m
| stats count as mfa_failures by _time, UserPrincipalName, IPAddress
| where mfa_failures >= 5
| sort - mfa_failures
- Microsoft Azure — cloud platform (Entra ID, Activity Logs, Defender for Cloud)
- Splunk Enterprise / Splunk Cloud — SIEM and detection
- Splunk Add-on for Microsoft Cloud Services — log ingestion connector
- Azure Event Hub — log streaming to Splunk
- SPL — detection queries
10 years in IT, 6 years in cybersecurity (network security, SIEM engineering, SOC operations). MS in Information Systems, CCNP Security.
Part of a broader portfolio covering threat detection, incident response, and security automation.
GitHub: Solomon-CyberSec