Skip to content

Cirby28/Sentinel-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.gitattributes
.gitattributes
 
 
BRUTE_FORCE_ACTUAL.log
BRUTE_FORCE_ACTUAL.log
 
 
Custom_Security_Log_Exporter.ps1
Custom_Security_Log_Exporter.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Failed RDP to IP Geolocation Information

[YouTube Links]

[Part 1] (https://youtu.be/DvHHfrK9QmU)
[Part 2] (https://youtu.be/vKreyJEZMII)
[Part 3] (https://youtu.be/T7DJh9w-VKA)

Description

The Powershell script in this repository is responsible for parsing out Windows Event Log information for failed RDP attacks and using a third-party API to collect geographic information about the attackers' location.

The script is used in this demo where I set up Azure Sentinel (SIEM) and connect it to a live virtual machine acting as a honey pot. We will observe live attacks (RDP Brute Force) from all around the world. I will use a custom PowerShell script to look up the attackers' Geolocation information and plot it on an Azure Sentinel Map!

Languages Used

  • PowerShell: Extract RDP failed logon logs from Windows Event Viewer

Utilities Used

  • ipgeolocation.io: IP Address to Geolocation API

Attacks Will come in here; Custom logs will be put out here with geodata

Image Analysis Dataflow

World map of incoming attacks after 24 hours (built custom logs including geodata)

After 24 Hours


About

Sentinel-Lab

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages