Skip to content

yerdaulete/SIEM-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
images
images
 
 
Custom_Security_Log_Exporter.ps1
Custom_Security_Log_Exporter.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Failed RDP to IP Geolocation Information

Description

The Powershell script in this repository is responsible for parsing out Windows Event Log information for failed RDP attacks and using a third party API to collect geographic information about the attackers location.

The script is used in this demo where I setup Azure Sentinel (SIEM) and connect it to a live virtual machine acting as a honey pot. We will observe live attacks (RDP Brute Force) from all around the world. I will use a custom PowerShell script to look up the attackers Geolocation information and plot it on an Azure Sentinel Map!

https://github.com/yerdaulete/SIEM-Lab/blob/main/41.19.jpeg

Languages Used

  • PowerShell: Extract RDP failed logon logs from Windows Event Viewer

Utilities Used

  • ipgeolocation.io: IP Address to Geolocation API

Attacks from Mexico coming in; Custom logs being output with geodata

https://github.com/yerdaulete/SIEM-Lab/blob/main/42.22.jpeg

World map of incoming attacks after 24 hours (built custom logs including geodata)

https://github.com/yerdaulete/SIEM-Lab/blob/main/46.08.jpeg

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages