Projects

Incident Response

Security Incident Investigation

Case Study

A structured investigation of a security incident involving suspicious authentication activity detected through centralised log monitoring. Covers the full incident response lifecycle from initial alert triage through to documented remediation and lessons learned. Details have been generalised to protect confidentiality.

Overview

Received and triaged a high-priority alert from the SIEM platform indicating anomalous login behaviour across multiple accounts.
Performed initial scoping to identify affected systems, user accounts, and the likely timeframe of compromise.
Collected and preserved relevant log data from authentication systems, endpoint agents, and network traffic captures.
Correlated events across sources to construct a timeline of attacker activity and determine the scope of the incident.

Response Actions

Isolated affected accounts and enforced password resets in coordination with the IT team.
Blocked identified malicious IP addresses and applied conditional access policies to restrict further suspicious activity.
Validated containment by reviewing subsequent log data to confirm no further unauthorised access.

Outcome & Learning

Produced a written post-incident report including a full timeline, root cause analysis, and recommended improvements.
The investigation identified a gap in MFA coverage that was subsequently addressed as a remediation action.
Strengthened organisational alerting rules based on patterns discovered during the investigation.

Security Monitoring

SIEM Deployment & Alert Tuning (Wazuh)

Lab / Work Project

Deployed and configured Wazuh as a centralised security monitoring and SIEM solution across a mixed-OS environment. Covered agent deployment, custom rule creation, alert tuning, and dashboard build-out to improve detection capability and reduce alert fatigue.

What Was Built

Deployed Wazuh manager and agents across Windows Server and Linux endpoints, centralising log collection and event normalisation.
Configured File Integrity Monitoring (FIM) on critical system paths to detect unauthorised changes.
Built custom detection rules targeting common attack patterns including brute-force attempts, privilege escalation, and lateral movement indicators.
Created dashboards to give the team clear visibility of alert volumes, top event sources, and trend data.

Tuning & Improvement

Reviewed alert volumes over a two-week baseline period and identified high-noise rules that needed refinement.
Applied rule-level suppression and threshold tuning to reduce false positives without losing detection coverage.
Documented all custom rules and tuning decisions to enable consistent maintenance and future review.

Outcome

Reduced daily alert volume by approximately 40% through targeted tuning, improving signal quality significantly.
The environment moved from minimal monitoring visibility to a structured, maintained detection capability.
Delivered internal documentation covering Wazuh architecture, rule logic, and on-call response guidance.

Access Security

MFA Implementation & Access Control Hardening

Work Project

Assessed existing authentication controls across a Microsoft 365 environment and led the rollout of multi-factor authentication for all user accounts. Included policy changes, exception management, user communication, and post-deployment monitoring.

Problem Statement

Audit of authentication controls revealed a significant portion of accounts lacked MFA coverage, representing meaningful account takeover risk.
Existing conditional access policies were inconsistent and lacked enforcement for administrator accounts.

Implementation

Reviewed all user accounts and identified those without MFA enrolled, prioritising privileged accounts for immediate remediation.
Created and enforced Conditional Access policies requiring MFA for all users, with a phased rollout to reduce operational disruption.
Drafted user communications and a self-enrolment guide to reduce support ticket volume during transition.
Managed exceptions through a formal approval process with defined review timelines.

Outcome

Achieved full MFA coverage across all active user accounts within the defined project timeframe.
Administrator accounts moved to phishing-resistant authentication methods as a priority hardening action.
Measurably reduced the organisation's identity risk posture and contributed to Cyber Essentials alignment.

Process Improvement

Security Workflow & Runbook Development

Work Project

Developed and standardised security operational procedures to improve consistency, reduce response times, and support knowledge transfer within the security team. Covered playbook authoring, ticketing workflow improvement, and structured runbooks for common security scenarios.

What Was Developed

Authored incident response playbooks for common security scenarios including phishing, account compromise, and malware detection.
Designed a standardised ticketing workflow within the ITSM platform to ensure consistent alert handling and clear ownership.
Produced runbooks covering daily security checks, alert escalation criteria, and shift handover procedures.

Process & Approach

Reviewed existing informal processes and identified gaps in documentation coverage and response consistency.
Worked collaboratively with team members to validate runbook steps against real operational scenarios.
Established a review cadence to keep documentation current as tools and environments changed.

Outcome

Reduced time-to-triage for common alert types as analysts had clear, tested procedures to follow.
Improved audit trail quality, with consistently documented incident timelines and actions taken.
Documentation became a key reference during team onboarding, reducing ramp-up time for new starters.

Interested in my work?