Skip to content

aravindb26/Sentinel-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitattributes
.gitattributes
 
 
BRUTE_FORCE_ACTUAL.log
BRUTE_FORCE_ACTUAL.log
 
 
Custom_Security_Log_Exporter.ps1
Custom_Security_Log_Exporter.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Failed RDP to IP Geolocation Information

Description

The Powershell script in this repository is responsible for parsing out Windows Event Log information for failed RDP attacks and using a third party API to collect geographic information about the attackers location.

The script is used in this demo where I setup Azure Sentinel (SIEM) and connect it to a live virtual machine acting as a honey pot. We will observe live attacks (RDP Brute Force) from all around the world. I will use a custom PowerShell script to look up the attackers Geolocation information and plot it on an Azure Sentinel Map!

RDP event fail logs to iP Geographic information

Languages Used

  • PowerShell: Extract RDP failed logon logs from Windows Event Viewer

Utilities Used

  • ipgeolocation.io: IP Address to Geolocation API

Attacks from China coming in; Custom logs being output with geodata

Image Analysis Dataflow

World map of incoming attacks after 24 hours (built custom logs including geodata)

Image Analysis Dataflow

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages