In this project phase, I will establish a tailored log configuration within our log analytics workspace, facilitating the integration of geospatial data into our analytical framework. To accomplish this, I will employ the "failed_rdp.log" format, training our log analytics system to effectively identify and interpret the relevant information. Then, we will proceed to generate a specialized extraction field from the unprocessed custom log data. Ultimately, we will incorporate a world map visualization to showcase the locations of the attackers.
Create a custom log in Log Analytics Workspace to extract our custom log
Create a World Map in our Microsoft Sentinel Workbook
Creating Custom Log in Log Analytics Workspace
In our VM, copy all contents on failed_rdp - Notepad
Go back to our desktop > create a Notepad document, and paste all content there
Save it, name: failed_rdp.log
In our own Desktop, Azure Portal search bar, search: Log Analytic workspaces
Click on law-honeypot > Click on "Tables" underneath the settings
Navigation to Create Custom Logs
3. Click Create> New custom log (MMA-based)
Create Custom Log
4. Click the Select file and use failed_rdp.log > Next > Next
Selecting the File
5. In Collection paths:
- Type: Windows
- Path: C:\ProgramData\failed_rdp.log
Create Custom Log Overview
7. Test Logs:
- Go to Logs in Log Analytics Workspace
- Type in: SecurityEvent | where EventID == 4625 > Run
- Result will give all the failed attempts login for our honeypot
Testing Logs
8. Wait until you can run FAILED_RDP_WITH_GEO_CL in Logs
Wait For Logs
9. After 15 minutes, and the FAILED_RDP_WITH_GEO_CL runs, apply this whole code and run it:
```
FAILED_RDP_WITH_GEO_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
```
Running Code for Custom Extract Field
Creating a World Map
1. In our own Desktop, [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Sentinel
2. Go to Workbooks under Threat Management > Add Workbook > Edit > remove everything
3. Add query and post the same Code above > run query
4. Change:
- Visualization: Map
- Size: Full
- Metric Setting on the right: Label
5. Save > name: Failed RDP World Map
6. Created our Failed RDP World Map
Successfully Created Failed RDP World Map
Hackers Brute Forcing the Honeypot
Result After 5 hours: Failed RDP World Map
Result After 10 hours: Failed RDP World Map
Reached 1000 API requests
Description:
In this project phase, I will establish a tailored log configuration within our log analytics workspace, facilitating the integration of geospatial data into our analytical framework. To accomplish this, I will employ the "failed_rdp.log" format, training our log analytics system to effectively identify and interpret the relevant information. Then, we will proceed to generate a specialized extraction field from the unprocessed custom log data. Ultimately, we will incorporate a world map visualization to showcase the locations of the attackers.
Creating Custom Log in Log Analytics Workspace
In our VM, copy all contents on failed_rdp - Notepad
In our own Desktop, Azure Portal search bar, search: Log Analytic workspaces
Click on law-honeypot > Click on "Tables" underneath the settings
Navigation to Create Custom Logs
3. Click Create> New custom log (MMA-based)
Create Custom Log
4. Click the Select file and use failed_rdp.log > Next > Next
Selecting the File
5. In Collection paths: - Type: Windows - Path: C:\ProgramData\failed_rdp.log
Collection Paths
6. Details: > Create - Custom log name: FAILED_RDP_WITH_GEO
Create Custom Log Overview
7. Test Logs: - Go to Logs in Log Analytics Workspace - Type in: SecurityEvent | where EventID == 4625 > Run - Result will give all the failed attempts login for our honeypot
Testing Logs
8. Wait until you can run FAILED_RDP_WITH_GEO_CL in Logs
Wait For Logs
9. After 15 minutes, and the FAILED_RDP_WITH_GEO_CL runs, apply this whole code and run it: ``` FAILED_RDP_WITH_GEO_CL | extend username = extract(@"username:([^,]+)", 1, RawData), timestamp = extract(@"timestamp:([^,]+)", 1, RawData), latitude = extract(@"latitude:([^,]+)", 1, RawData), longitude = extract(@"longitude:([^,]+)", 1, RawData), sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData), state = extract(@"state:([^,]+)", 1, RawData), label = extract(@"label:([^,]+)", 1, RawData), destination = extract(@"destinationhost:([^,]+)", 1, RawData), country = extract(@"country:([^,]+)", 1, RawData) | where destination != "samplehost" | where sourcehost != "" | summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country ```
Running Code for Custom Extract Field
Creating a World Map
1. In our own Desktop, [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Sentinel 2. Go to Workbooks under Threat Management > Add Workbook > Edit > remove everything 3. Add query and post the same Code above > run query 4. Change: - Visualization: Map - Size: Full - Metric Setting on the right: Label 5. Save > name: Failed RDP World Map 6. Created our Failed RDP World MapSuccessfully Created Failed RDP World Map
Hackers Brute Forcing the Honeypot
Result After 5 hours: Failed RDP World Map
Result After 10 hours: Failed RDP World Map
Reached 1000 API requests