{"id":22880584,"url":"https://github.com/darvinpatel/sentinelmap","last_synced_at":"2025-07-30T20:04:15.472Z","repository":{"id":215547258,"uuid":"739212868","full_name":"darvinpatel/sentinelMap","owner":"darvinpatel","description":"This repository offers tools and scripts for mapping and visualizing Microsoft Sentinel data. It includes utilities for extracting, analyzing, and presenting security information from Sentinel, helping to create detailed security maps and dashboards for improved threat analysis.","archived":false,"fork":false,"pushed_at":"2024-09-18T01:14:31.000Z","size":64212,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-31T15:36:20.069Z","etag":null,"topics":["azure","azure-sentinel","honeypot","kql","log-analytics-workspace","log-ingestion","powershell","virtual-machine","workbooks"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darvinpatel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-05T03:10:00.000Z","updated_at":"2024-09-18T01:14:35.000Z","dependencies_parsed_at":"2024-12-13T17:29:56.497Z","dependency_job_id":null,"html_url":"https://github.com/darvinpatel/sentinelMap","commit_stats":null,"previous_names":["darwindpatel/sentinelmap","darvinpatel/sentinelmap"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/darvinpatel/sentinelMap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darvinpatel%2FsentinelMap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darvinpatel%2FsentinelMap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darvinpatel%2FsentinelMap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darvinpatel%2FsentinelMap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darvinpatel","download_url":"https://codeload.github.com/darvinpatel/sentinelMap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darvinpatel%2FsentinelMap/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267930586,"owners_count":24167472,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-sentinel","honeypot","kql","log-analytics-workspace","log-ingestion","powershell","virtual-machine","workbooks"],"created_at":"2024-12-13T17:19:35.164Z","updated_at":"2025-07-30T20:04:14.526Z","avatar_url":"https://github.com/darvinpatel.png","language":"PowerShell","readme":"![](images/Azurelogo.png)\n\n# SIEM | Microsoft Sentinel Map with LIVE CYBER ATTACKS\n\n### Summary\nSIEM stands for Security Information and Event Management System. It is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations. It is a tool that collects event log data from a range of sources within a network such as Firewalls, IDS/IPS, Identity solutions, etc. This allows security professionals to monitor, prioritize, and remediate potential threats in real-time. A honeypot is a security mechanism that creates a virtual trap in a controlled and safe environment to lure attackers. An intentionally compromised computer system to study how attackers work, examine different types of threats, and improve security policies. This lab's purpose is to understand how to collect honeypot attack log data, query it in a SIEM, and display it in a manner that is easy to understand such data. In this case, it will be displayed in a world map by event count and geolocation.\n\n![](images/img1.png)\n\u003eFINAL RESULTS: Visual map displaying failed RDP login attempts to a honeypot vm sorted by the location using IP and the attack counter\n\n### Learning Objectives:\n1. Provisioning and de-provisioning virtual environments such as virtual machines, Log Analytics Workspaces, and Azure Sentinel within Azure.\n2. Understand Windows Security Event logs.\n3. Third-party API calls.\n4. Utilization of KQL to query logs.\n5. Security Information and Event Management - log analysis and visualization.\n6. Display attack data on a dashboard with Workbooks (World Map)\n\u003e NOTE: Since we will utilize RDP you will need a Windows host machine - a Windows virtual machine will also work.\n\n### Technologies and Protocols:\n* Microsft Azure - a cloud computing service operated by Microsoft for application management via Microsoft-managed data centers\n* Services within Azure: Log Analytics Workspace and Sentinel (Mircosoft's SIEM)\n* Powershell \n* Remote desktop protocol\n \n### Overview:\n![](images/azure.png)\n\n\u003e Step-by-step overview of lab:\n1. Create Azure subscription (FREE $200 credits)\n2. Create virtual machine in Azure (honeypot-vm) \u003e turn firewalls off (making it vulnerable to brute force attacks) \n3. Use a Powershell script to extract  IP of attackers \u003e feed IP into third party API and return back to honeypot-vm specific location information.\n4.  Create log repository in Azure (Log Analytics Workspace) - this will ingest our logs from honeypot-vm\n5. Set up Sentinel - Microsoft’s cloud native SIEM\n6. Use data from SIEM to map out attacker information and magnitude \n\n## Step 1: Create FREE Azure account: [Azure](https://azure.microsoft.com/en-us/free/ \"Azure\")\n- Click on “Go to the Azure Portal” or go to `portal.azure.com` once you create your account.\n\n![](images/img2.PNG)\n\n## Step 2: Create our honey pot virtual machine\n- In the search bar, search and click virtual machine \n- This will be the honey pot virtual machine made to entice attackers from all over the world\n\n![](images/img3.PNG)\n\n## Step 3: On the “virtual machines” page click Create \u003e Azure virtual machine \n- Edit the virtual machine as follows:\n- Click create new under resource group and name it (this resource group is a logical grouping of similar resources)\n- Name the virtual machine\n- Under region select\n- Under Image select\n- Availability zone\n- Size\n- Create a username and password - **don’t forget credentials**\n- Finally, check confirm box - leaving the rest in their default options  \n\n![](images/img10.PNG)\n\n## Step 4: Click \u003e Next: Disk but leave it as is, click to continue to Networking\n-  Under *NIC network security group* select \u003e Advance and under *Configure network security group* select Create new\n- You should see a default rule (something like 1000: default-allow-rdp), click the three dots to the right of it and **remove** it.\n- Select *Add an inbound rule* \n- Match the settings of the new rule as follows: \n- Set *Destination port ranges*: * \n- Priority: 100\n- Name: Danger_All_Traffic_Inbound_Allowed\n- Leave the rest of the settings as default\n- Click Add \u003e OK \u003e Review + create - wait a bit to load and click Create\n\n![](images/img11.PNG)\n![](images/img12.PNG)\n\n\u003e The point of this new firewall rule is to allow any traffic from anywhere.  This will make our virtual machine very discoverable. \n\n## Step 5: Create Log Analytics workspace\n- As we wait for our vm to deploy, go back to the search bar and search and click *Log Analytics workspaces*\n\n![](images/img13.PNG)\n![](images/img14.PNG)\n\n\u003e The purpose  of this workspace is to ingest logs from our vm. Additionally, we will create our own custom logs that will contain geographic information on who is attacking us. Later, our MS SIEM will feed logs into here.\n\n- Select the blue Create log analytics workspace button\n- Under the Basics tab\n- Resource source group\n- Name\n- Region\n- Click Review + Create and click Create\n\n## Step 6A: Enable log collection from vm to log workspace\n- Back in the search bar search and click *Microsoft Defender for Cloud*\n- Once on the dashboard click \u003e Environment Settings \u003e (through the drop down menus) \u003e log-honeypot-1\n\n![](images/img15.PNG)\n![](images/img16.PNG)\n\n## Step 6B: Under log-honeypot-1 select *Defender Plans* and enable *Servers* ON and *SQL servers on machines* OFF. With *Cloud Security Posture Management* ON. Hit save.\n- Under *Data Collection* tab select *All Events*. Hit save.\n\n![](images/img17.PNG)\n![](images/img18.PNG)\n\n\n## Step 7: connect Log Analytics workspace to our vm\n- On the search bar select Log Analytics workspace\n- Select log-honeypot-11 \u003e Virtual Machines \u003e honeypot-vm\n- Click **connect**, after clicking honeypot-vm\n- It will take some time to successfully connect; you should get a message confirming connection.\n\n![](images/img19.PNG)\n![](images/img20.PNG)\n\n## Step 8: Add Microsoft Sentinel to our workspace \n- In search bar find **Microsoft Sentinel**\n- Click Create Microsoft Sentinel \u003e select log-honeypot-11 \u003e Add\n- This will also take some time\n\n![](images/img21.PNG)\n\n\n## Step 9A: Log into vm through host machine\n- Through the search bar, find our honeypot-vm \u003e copy the Public IP address\n![](images/img22.PNG)\n\n\n## Step 9B: RDP from host Windows machine\n- On your Windows machine (Windows vm will also work) search and open *Remote Desktop Connection*\n- Paste your Azure IP into *Computer*\n- Before connecting, click Display and scale down display configuration for easier viewing\n- Click connect\n- In the *Enter your credentials* window click more choices \u003e Use a different account \n- Enter invalid credentials tin order to generate a log for later viewing.\n- Then, enter your credentials we created for our Azure vm in Step 3, click OK.\n- Accept the certificate warning\n- You should be logged into the vm when you see “Remote Desktop Connection” at the top of the screen.\n\n![](images/img23.PNG)\n![](images/img24.PNG)\n![](images/img25.PNG)\n\n\u003e Please note that I have used Microsoft Remote Desktop to RDP into my VM as my host machine is Mac OS X\n\n## Step 10A: Set up vm and explore \n- Click NO to all privacy settings and Accept\n- Set up Edge\n- Search and click *Event Viewer*\n- Click Windows Logs \u003e Security and find the Audit Failure log (our failed login attempt; if you don’t see it at first filter current log by “Audit Failure” found to the left)\n\n![](images/img26.PNG)\n![](images/img27.PNG)\n\n\u003e The Source Network Address will represent the attacker’s IPs and eventually where on Earth they are attacking us!\n\u003e But in order to do this we need to send this network address to a third party API… but more on that later.\n\n## Step 10B: Turn off firewall to make vm more susceptible to attack \n- Open command prompt on your **host** machine and try to ping the Azure vm - it shouldn’t work!\n- Search and open wf.msc on Azure vm - *remember* to keep an eye on vm IP at the very top to confirm you’re in the vm and NOT in on your host to avoid confusion.\n- Click Windows Defender Firewall Properties near the middle of the page\n- Under the Domain Profile \u003e Firewall state: OFF\n- Under Private Profile \u003e Firewall state: OFF\n- Under Public Profile \u003e Firewall state: OFF\n- Try to ping vm again from your **host** machine - this should now work!\n\n![](images/img29.PNG)\n\n\u003e Before when Firewalls were in the default state of ON\n\n![](images/img30.PNG)\n\n\u003e After when Firewalls were turned off intentionally\n\n## Step 11A: Retrieve Powershell script: [Script](https://github.com/darvinpatel/sentinelMap/blob/main/Custom_Security_Log_Exporter.ps1 \"Script\")\n- Open Powershell ISE\n- For convenience you can copy/paste the code into a new ps1 file and save it to the desktop of the **honeypot-vm** (remember to see vm IP at the top)\n- You will also need an API key, get here: [API key](https://ipgeolocation.io/ \"API key\")\n- Create an account and log in\n- Copy and paste *your* API key in your Powershell script `$API_KEY = “_your API key_”`\n- Save file.\n\n![](images/img28.PNG)\n![](images/img31.PNG)\n\n\u003e Quick explanation of script: the script will parse through the security event logs (Audit Failure/failed login logs we looked at earlier) and grab IP information. The script then **passes** the IP thorough the API and correlates the info into longitude and latitude, giving us specific geographical information. \n\n## Step 11B: Powershell script (cont.)\n- Test and run the script pass pressing green play button at top of window \n- You should receive purple logs indicating latitude / latitude of failed logins (some sample logs and some log when we failed to log in)\n\u003e NOTE: Keep Powershell script running in the backgroup. We need to continously feed our log repository information.\n\n![](images/img32.PNG)\n\n\u003e ProgramData directory is where we will locate our log file after execution\n\n![](images/img33.PNG)\n\n\u003e Intentional login failed attempts by myself to check whether logs are being displayed by the script\n\n![](images/img35.PNG)\n\n\u003e failed_rdp filed found in the directory created by our custom Powershell script\n\n![](images/img36.PNG)\n\n\u003e Logs being created by ipgeolocation.io API to our designated file\n\n![](images/img37.PNG)\n\n\u003e Manually checking the logs that are created by my failed login attempts\n\n![](images/img38.PNG)\n\n\u003e Final attempt to login using username darwinLive so that we can track it in Powershell ISE and log file\n\n![](images/img39.PNG)\n\n\u003e logs for darwinLive login attempt successfully captured by the script\n\n![](images/img40.PNG)\n\n\u003e Confirming the log files whether darwinLive failed login is available for further investigation\n\n\n## Step 12A: Create custom geolocation log in Log Analytics Workspace.\n- This log will use IP information to give us specific geolocation to our create map down the line.\n- Search and click Log Analytics Workspace \u003e log-honeypot-1 \u003e custom logs \u003e + Add custom log\n- We need to upload a sample log to “train” log analytics on what to look for.\n\n![](images/img41.PNG)\n![](images/img42.PNG)\n\n## Step 12B: Custom geolocation log (cont.)\n- Our sample logs are in our **honeypot-vm**.\n- **In our honeypot-vm**, search RUN \u003e search C:\\ProgramData\\ and open the failed_rdp file.\n- Our failed RDP logins are sent to this txt file, open and copy all the sample logs. \n- Back on our **host machine**, open notes and paste our sample logs.\n- Save the file in a log or txt format and upload it in the *Create a custom log* page. Click next and you should see the sample logs.\n\n![](images/img43.PNG)\n\n## Step 12C: Click next and under Collection Paths \u003e under Type \u003e Windows, under Path write C:\\ProgramData\\failed_rdp.log\n\n![](images/img44.PNG)\n\n## Step 12D: Click next \u003e under Details \u003e Custom log name write FAILED_RDP_WITH_GEOLOCATION (CL will be added to the end)\n- Click next \u003e Create \u003eReview + Create\n- Let’s go back to log analytics and check if Azure is connected and listening to our vm.\n\n![](images/img45.PNG)\n\n## Step 12E: Secure connection between honeypot-vm and log analytics \n- Under law-honeypot1 \u003e General \u003e Logs \u003e search SecurityEvent and click blue Run button.\n- Give it a moment, and voila! It returns the same security logs window from our honeypot-vm’s Event Viewer.\n- Give it some time and search our custom: `FAILED_RDP_WITH_GEOLOCATION_CL will` it will return our sample logs.\n\n![](images/img46.PNG)\n\n \n## Step 13A: Overview: Extract geo-data from the RawData of our sample logs.\n- Take a look at our sample logs in our FAILED_RDP_WITH_GEOLOCATION_CL.\n- In the RawData columns we find information like longitude, latitude, destination host, etc.\n- We need to categorize longitude, latitude, destination host, etc. **values** from the raw data before we can obtain  geolocation data.\n- It sounds a bit abstract now, but bare with me.\n\u003e NOTE: If you step away and come back to this lab after a day or two make sure to change the *Time range* accordingly. \n\n![](images/img47.PNG)\n\n\u003e Querying the logs using EventID == 4625 which signals failed logins\n\n![](images/img48.PNG)\n\n\u003e Now querying the logs using the custom logs we created above\n\n\n## Step 13B: Extract and categorize data from the sample log\n- Use the KQL custom query to extract fields that we will use to send it to the map\n\n![](images/img49.PNG)\n\n\u003e This is an important step because we are ‘training’ our SIEM what to look out for. \n\n## Step 13C: Check if the KQL query can capture the most recent entry\n- Have another failed login to your VM and check the PowerShell results\n![](images/img51.PNG)\n\n\u003e darwinFinalFAIL captured\n\n## Step 13D: Check LAW for the login attempt\n- After succesfully observing the failed log we check the entry in our LAW \u003e logs\n- Run the KQL again\n\n![](images/img50.PNG)\n\n\u003e darwinFinalFAIL captured and categorised appoproately\n\n\u003e A couple of notes before moving on: **make sure our Powershell script log_exporter.log is running**. The script will continue to feed our SIEM with fresh new logs. \n\n\u003e After extracting the data from our logs, you may or may not already see people trying to RDP into our vm (!). Give it some time.\n\n## Step 14A : Set up our map within Microsoft Sentinel \n- Next, we will map out our logs within Sentinel with the extracted data - to see where in the world is our vm is being attacked from.\n- Search and click Microsoft Sentinel \u003e choose law-honeypot1 and under Threat management choose *Workbooks* \u003e click + Add workbook\n- Click edit \u003e click the “ … “ on the right side on the screen and remove the two widgets.\n- Click Add \u003e Add query and paste the following into the query\n\n![](images/img53.PNG)\n![](images/img54.PNG)\n\n\n\u003e This will parse through the failed RDP’s logs and return to us location information through our custom fields we created.\n\n## Step 14B: Threat visualization\n- Click Run Query\n- From the visualization drop box select *Map*\n- In map settings \u003e layout setting (on the right of screen):\n- Configure the map according to your requirements\n- On the map you see where you’re being attacked from!\n- You might only see the failed logins you made, but after some time refresh and look again.\n- Tip - **if you take a look at the actual logs you can see source IP, time, country, user name and other details!**\n- Remember too, these logs are only reporting back failed RDP attempts… who knows what other attacks are being attempted.  \n\n![](images/img55.PNG)\n\n\n## Step 14C: Finish/save threat visualization \n- Hit \u003e save and close\n- And we’re done! - by now people should be attacking your vm, congrats!\n- You can hit the refresh icon near the top of the map (**make sure Powershell script is running**) to load more logs into the map\n- Also, you can click Auto refresh ON to refresh every so often.\n\n![](images/img56.PNG)\n\n## FINAL STEP: Deprovision resources \n- Once you are done with the lab delete the resources, otherwise they will eat away from your free credit (deprovisioning is also a good thing to keep in mind at the enterprise level)\n- Search and click Resource group \u003e honeypot-lab \u003e Delete resource group\n- Type the name  *honeypot-lab* to confirm deletion \n\n\n\n\u003e And there you have it, you have successfully mapped out the location of your RDP attackers using a honey pot vm.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarvinpatel%2Fsentinelmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarvinpatel%2Fsentinelmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarvinpatel%2Fsentinelmap/lists"}