Cybersecurity professional specializing in identity threat detection, authentication monitoring, and security incident investigation within Microsoft cloud environments.
My projects demonstrate how security analysts detect suspicious authentication activity, investigate identity related alerts, analyze security logs, and implement remediation procedures in enterprise Microsoft environments.
All investigations are performed in a controlled lab environment designed to simulate enterprise SOC workflows.
The following workflow demonstrates how identity security events are collected, detected, investigated, and remediated within a Microsoft cloud security environment.
| Stage | Security Process | Platform |
|---|---|---|
| 1 | User Authentication Activity | Microsoft Entra ID |
| 2 | Authentication Logs Collected | Microsoft Entra ID Sign-in Logs |
| 3 | Threat Detection Rules | Microsoft Sentinel (KQL) |
| 4 | Security Investigation | SOC Analyst Investigation Cases |
| 5 | Incident Response | Response Playbooks |
Enterprise Identity Incident Investigation
This repository demonstrates how identity based security incidents can be detected, investigated, and remediated using Microsoft Sentinel, Microsoft Entra ID authentication logs, and the MITRE ATT&CK framework.
The project simulates the workflow used by Security Operations Center analysts when investigating suspicious authentication activity in enterprise Microsoft environments. It includes detection rules, authentication log analysis, investigation case files, MITRE ATT&CK technique mapping, and incident response playbooks.
Investigation scenarios were developed in a controlled lab environment designed to simulate enterprise authentication monitoring and identity security incidents.
The investigation environment includes detection rules designed to identify identity based attacks within Microsoft Entra ID and Microsoft Sentinel logs.
| Attack Technique | Detection Rule |
|---|---|
| Password Spray | Password Spray Detection |
| Impossible Travel | Impossible Travel Detection |
| MFA Fatigue | MFA Fatigue Detection |
| Phishing Login | Phishing Login Detection |
| Token Theft | Token Theft Detection |
| Data Exfiltration | Data Exfiltration Detection |
The following matrix maps detection rules and investigation scenarios to relevant MITRE ATT&CK techniques.
| MITRE Technique | Attack Description | Detection Rule | Investigation Case |
|---|---|---|---|
| T1110.003 | Password Spraying | Password Spray Detection | CASE-006 Password Spray Attack |
| T1078 | Valid Accounts | Impossible Travel Detection | CASE-003 Impossible Travel Login |
| T1621 | MFA Request Generation | MFA Fatigue Detection | CASE-002 MFA Fatigue Attack |
| T1566 | Phishing | Phishing Login Detection | CASE-009 Phishing Attack Investigation |
| T1528 | Steal Application Access Token | Token Theft Detection | CASE-008 Identity Account Compromise |
| T1041 | Exfiltration Over Command and Control Channel | Data Exfiltration Detection | CASE-007 Data Exfiltration Investigation |
Hands on lab demonstrating identity security concepts including role based access control, authentication monitoring, and access configuration within Microsoft environments.
https://github.com/jwnfld3/azure-access-mgmt
These labs demonstrate the enterprise environments used to perform identity security investigations and authentication monitoring.
Virtualized Windows environment used to simulate authentication activity, monitor security logs, and practice investigation techniques within a lab environment.
https://github.com/jwnfld3/windows11-hyper-v
The projects in this portfolio demonstrate a structured Security Operations Center investigation process.
Detection
Security monitoring tools identify suspicious authentication activity.
Evidence Collection
Authentication logs and supporting artifacts are gathered for analysis.
Investigation
Security analysts review authentication patterns and identify indicators of compromise.
MITRE ATT&CK Mapping
Observed activity is mapped to attacker tactics and techniques.
Remediation
Incident response playbooks are used to contain and resolve security events.
Workflow Summary
Detection → Evidence → Investigation → MITRE Mapping → Remediation
Identity Security Investigation
Authentication Log Analysis
Microsoft 365 Administration
Microsoft Entra ID Identity Management
Incident Response Documentation
Security Event Correlation
Security Monitoring
Microsoft 365 administration
Endpoint management using Microsoft Intune
Active Directory administration
Enterprise technical support
Security documentation and investigation reporting
LinkedIn
https://linkedin.com/in/james-winfield3
GitHub Repositories
https://github.com/jwnfld3?tab=repositories
All projects in this portfolio were developed in controlled lab environments to simulate enterprise security investigations.
These projects demonstrate practical skills used by Security Operations Center analysts including authentication monitoring, identity investigation, log analysis, incident documentation, and remediation planning.
The projects in this portfolio were developed through hands on practice and by referencing official vendor documentation and widely used cybersecurity frameworks.
Microsoft Sentinel Documentation
https://learn.microsoft.com/en-us/azure/sentinel/
Microsoft Entra ID Sign-in Log Documentation
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
Microsoft Entra Conditional Access Documentation
https://learn.microsoft.com/en-us/entra/identity/conditional-access/
Kusto Query Language Documentation
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/
MITRE ATT&CK Framework
https://attack.mitre.org/
MITRE ATT&CK Enterprise Matrix
https://attack.mitre.org/matrices/enterprise/
Microsoft 365 Security Documentation
https://learn.microsoft.com/en-us/microsoft-365/security/
Azure Identity Protection Documentation
https://learn.microsoft.com/en-us/entra/id-protection/
All projects in this portfolio were developed in controlled lab environments for educational and professional development purposes.
The scenarios simulate common identity security incidents that security analysts investigate in enterprise Microsoft cloud environments.