Skip to content

diyaajith/SIEM-Sentinel-Map

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

SIEM-Sentinel-Map: Failed RDP to IP Geolocation Information

Description

The PowerShell script found in this repository carries out the task of extracting details from the Windows Event Log concerning unsuccessful RDP (Remote Desktop Protocol) attempts. It then employs an external API to gather geographical data related to the location of the attackers.

This script is utilized within a VM where I establish Azure Sentinel, a Security Information and Event Management (SIEM) system, and link it to a virtual machine designed as a decoy for potential attacks. We will actively observe real-time instances of attacks, specifically RDP brute force attacks originating from various locations globally. To enhance this demonstration, a personalized PowerShell script is employed to retrieve geographical information about the attackers, which is subsequently displayed on an Azure Sentinel Map.

RDP event fail logs to iP Geographic information

Languages Used

  • PowerShell: Extract RDP failed logon logs from Windows Event Viewer

Utilities Used

  • ipgeolocation.io: IP Address to Geolocation API

Attacks from China coming in; Custom logs being output with geodata

Image Analysis Dataflow

World map of incoming attacks after an hour (built custom logs including geodata)

Image Analysis Dataflow

About

The PowerShell script found in this repository carries out the task of extracting details from the Windows Event Log concerning unsuccessful RDP (Remote Desktop Protocol) attempts. It then employs an external API to gather geographical data related to the location of the attackers.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors