The Powershell script in this repository is responsible for parsing out Windows Event Log information for failed RDP attacks and using a third party API to collect geographic information about the attackers location.
The script is used in this demo where I setup Azure Sentinel (SIEM) and connect it to a live VM honey pot. We will observe live attacks (RDP Brute Force) from all around the world. We will then use a custom PowerShell script to look up the attackers Geolocation information and plot it on an Azure Sentinel Map.
PowerShell: Extract RDP failed logon attempts from Windows Event Viewer logs
ipgeolocation.io: IP Address to Geolocation API (API access is required)
