In this lab, I created an Azure Sentinel SIEM and set up a virtual machine to act as a honey pot. Using IPGeolocation, PowerShell, and Azure Sentinel we are able to view live RDP attacks from across the globe.
- The first step in this project is to create a Microsoft Azure trial account. This gives you the ability to set up the VM, Sentinel, and logs within Azure.
- Here are the settings you will want to use to create the VM on Azure.
3. Create a IPGeolocation API account. This is the API we will use to gather the IP address of the RDP attempts.
4. Connect to the VM via RDP and make sure to turn off the firewall. (WITHIN THE VM!)
5. Open PowerShell ISE and run the following script after replacing the API key with the key you receive from the IPGeolocation API. https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1
You can see below, that the script is working. You are already able to see RDP attempts being logged. The File Explorer window to the right is where this data is being saved locally in the .log file.
6. Now you will put this data into Azure. Copy the .log file onto your personal machine. Create a custom log and insert the .log data into a sample. Then you will upload the actual file path on the VM for the data to be pulled from.
7. Go to logs and run SecurityEvent. Then run the new log you created. The login attempts will then populate below.
8. Create a new workbook. Enter the following:
- name of your created log here* | extend username = extract(@”username:([^,]+)”, 1, RawData), timestamp = extract(@”timestamp:([^,]+)”, 1, RawData), latitude = extract(@”latitude:([^,]+)”, 1, RawData), longitude = extract(@”longitude:([^,]+)”, 1, RawData), sourcehost = extract(@”sourcehost:([^,]+)”, 1, RawData), state = extract(@”state:([^,]+)”, 1, RawData), label = extract(@”label:([^,]+)”, 1, RawData), destination = extract(@”destinationhost:([^,]+)”, 1, RawData), country = extract(@”country:([^,]+)”, 1, RawData) | where destination != “samplehost” | where sourcehost != “” | summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
Change the visualization and you will now see it in a map format!
Here are my results within minutes!
