This repository contains a PowerShell script responsible for parsing Windows Event Log information for failed Remote Desktop Protocol (RDP) attacks. It utilizes a third-party API, such as ipgeolocation.io, to collect geographic information about the attackers' locations based on their IP addresses.
The PowerShell script is utilized in a demo scenario where Azure Sentinel (SIEM) is set up and connected to a live virtual machine acting as a honey pot. This setup allows observation of live RDP brute force attacks from various locations worldwide. The custom PowerShell script is then used to extract attackers' geolocation information, which is plotted on an Azure Sentinel Map for visualization.
- Understanding of PowerShell scripting for log parsing and automation.
- Integration of third-party APIs for geolocation lookup.
- Utilization of Azure Sentinel for SIEM and visualization purposes.
- Knowledge of RDP attack patterns and defensive strategies.
- Hands-on experience in cybersecurity threat detection and response.
- PowerShell for scripting and automation.
- Third-party geolocation API for retrieving attacker locations.
- Azure Sentinel for SIEM and visualization.
- Windows Event Log for capturing RDP attack logs.
