Microsoft Cloud SIEM

Scope Of Work:

Utilized custom PowerShell script to extract metadata from Windows Event Viewer, forwarding the data to a third-party API to derive geolocation data. Configured Azure Log Analytics Workspace to ingest custom logs containing geographic information (latitude, longitude, state/province, and country) and limit data displayed with KQL (Kusto Query Language). Created visual representations using pie charts, bar graphs, and world maps in Azure Sentinel (SIEM) Workbook to demonstrate the evolving global attack data for RDP Brute Force incidents targeting my Virtual Machine (Honeypot).


Tools:

  • Windows PowerShell ISE

  • Microsoft Azure SIEM and Virtualization

  • IPGeolocation


Lesson Learned:

  • MITRE ATT&CK Framework

  • System Information Event Management Tool

  • PowerShell Scripting

  • API

  • Firewall Configuration

  • Log Analytics

  • Virtualization (HoneyPot)

  • Kusto Query Language (KQL)


Challenges:

During the project, we encountered challenges in querying data with KQL using the logs we generated. I had a work around to implement and visualize the ingested logs through bar graphs or pie charts. Subsequently, as a collaborative effort within the community, we successfully identified a script that proved effective, enabling us to represent the results in a heat map as intended.


Resources:


Images:


Previous
Previous

SNORT (IDS/IPS)