You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SIEM-Sentinel-Map: Failed RDP to IP Geolocation Information
Description
The PowerShell script found in this repository carries out the task of extracting details from the Windows Event Log concerning unsuccessful RDP (Remote Desktop Protocol) attempts. It then employs an external API to gather geographical data related to the location of the attackers.
This script is utilized within a VM where I establish Azure Sentinel, a Security Information and Event Management (SIEM) system, and link it to a virtual machine designed as a decoy for potential attacks. We will actively observe real-time instances of attacks, specifically RDP brute force attacks originating from various locations globally. To enhance this demonstration, a personalized PowerShell script is employed to retrieve geographical information about the attackers, which is subsequently displayed on an Azure Sentinel Map.
Languages Used
PowerShell: Extract RDP failed logon logs from Windows Event Viewer
Utilities Used
ipgeolocation.io: IP Address to Geolocation API
Attacks from China coming in; Custom logs being output with geodata
World map of incoming attacks after an hour (built custom logs including geodata)
About
The PowerShell script found in this repository carries out the task of extracting details from the Windows Event Log concerning unsuccessful RDP (Remote Desktop Protocol) attempts. It then employs an external API to gather geographical data related to the location of the attackers.
