The SIEM Azure Sentinel Attack Map project is designed to help monitor and visualize failed login attempts to a virtual machine in Microsoft Azure. By creating a log analytics workspace, integrating with Azure Security Center, and leveraging Azure Sentinel, this project enables you to detect and respond to potential security threats in real-time.
- Real-time monitoring and visualization of failed login attempts
- Integration with Azure Security Center for advanced threat detection and protection
- Customizable log data extraction and storage
- Automated alerts for potential security threats
The SIEM Azure Sentinel Attack Map project is built on top of Microsoft Azure and integrates with various security tools and technologies, including:
- Virtual Machine for hosting your applications and storing your data
- Log Analytics Workspace for centralizing and analyzing log data
- Azure Security Center for monitoring and protecting your Azure resources
- Azure Sentinel for advanced threat detection and protection
To set up the SIEM Azure Sentinel Attack Map project for monitoring failed login attempts, follow these steps:
- Create a Microsoft Azure subscription and deploy a virtual machine in Azure.
- Allow all traffic in the firewall settings of the virtual machine.
- Create a Log Analytics Workspace to centralize and analyze log data.
- Enable gathering VM logs in Azure Security Center to detect potential security threats.
- Connect Log Analytics to the virtual machine to extract and store log data.
- Set up Azure Sentinel to monitor the log data and send automated alerts when potential security threats are detected.
- Log into the virtual machine with Remote Desktop and initiate a failed login attempt to generate log data.
- Observe Event Viewer Logs in the virtual machine to confirm the log data has been generated.
- Turn off the Windows Firewall on the virtual machine to allow the PowerShell script to run.
- Download the PowerShell script (log_exporter.ps1) to extract geo data from attackers.
- Get a Geolocation.io API Key to use with the PowerShell script (line 2).
- Run the PowerShell script to extract geo data from attackers and store it in the Log Analytics Workspace.
- Create a custom log in Log Analytics Workspace to bring in the extracted geo data.
- Create custom fields and extract fields from raw custom log data to make it easily searchable and understandable.
- Test the custom fields and extracts to ensure they are working correctly.
- Set up a map in Azure Sentinel with Latitude and Longitude or country to visualize the geo data and failed login attempts.
- Fix any map plot sizes to ensure they are accurate and easy to read.
The SIEM Azure Sentinel Attack Map project is a comprehensive security solution that enables organizations to monitor and visualize failed login attempts in real-time. By integrating with various security tools and technologies, this project provides a powerful solution for detecting and responding to potential security threats.