Microsoft Cloud SIEM
Scope Of Work:
Utilized custom PowerShell script to extract metadata from Windows Event Viewer, forwarding the data to a third-party API to derive geolocation data. Configured Azure Log Analytics Workspace to ingest custom logs containing geographic information (latitude, longitude, state/province, and country) and limit data displayed with KQL (Kusto Query Language). Created visual representations using pie charts, bar graphs, and world maps in Azure Sentinel (SIEM) Workbook to demonstrate the evolving global attack data for RDP Brute Force incidents targeting my Virtual Machine (Honeypot).
Tools:
Windows PowerShell ISE
Microsoft Azure SIEM and Virtualization
IPGeolocation
Lesson Learned:
MITRE ATT&CK Framework
System Information Event Management Tool
PowerShell Scripting
API
Firewall Configuration
Log Analytics
Virtualization (HoneyPot)
Kusto Query Language (KQL)
Challenges:
During the project, we encountered challenges in querying data with KQL using the logs we generated. I had a work around to implement and visualize the ingested logs through bar graphs or pie charts. Subsequently, as a collaborative effort within the community, we successfully identified a script that proved effective, enabling us to represent the results in a heat map as intended.