In the previous post we deployed Microsoft Sentinel with the connector to gather data from the Windows VM. Now, we can explore some workbooks to see pre-defined dashboards
for example, we can use the workbook called “Windows Firewall”. There, it can be seen Windows Security events by account and IP.
Furthermore, the workbook Identity & Access shows details about authentications in the VM
Also, we can create queries to see authentication failed attempts. In the Logs sections of the Log Analytics Workspace, we can run:
1
2
SecurityEvent
| where EventID == 4625
However, if we can go the overview tab in Microsoft Sentinel, it doesn’t show in the map the connections of the VM even when those connections are made by public IP adressess.
For that reason, we’re going to use a custom script to see conections to the VM in the map. This is an idea from Josh Madakor, thank you for sharing your knowledge.
Observing Auth Failed log
First of all, we need to ensure how to see the log when an authentication failed attempt in the Windows system. To do that, it’s needed to open Event Viewer → Windows Logs folder → Security channel
In the security channel, the event 4625 shows what we want, and it shows important information like:
- account name
- source workstation name
- source IP address
Now, the idea is to take the source IP address with a script which creates a custom log and then it shows the country of the IP in the map with the help of ipgeolocation.io.
NOTE: for better results in the SIEM, Windows Firewall is disabled. However, in a production envirtonment, you should keep turn it on.
Using the Script
to begin with, we have to download the script here. Then, we must update the API_KEY varibale for using the script.
In order to get the API key, we have to create an account in ipgeolocation.io. Next, go to Dashboard and you see the API Key.
The script gathers all the information of failed authentications, it takes the IP address and creates a custom log.
Now, it’s time to run the script and see its results:
As you can see, there are real failed authentication attempts from Rusia.
Creating custom log in Log Analytics Workspace to bring the log from the script
Firstly, in the azure portal, we go to the Log Analytics workspace → custom log → add custom log
Second, a copy of the log file created by the script must be downloaded in our local computer because it should be uploaded in the azure portal.
The log has the following format:
1
2
3
4
5
6
7
latitude:47.91542,longitude:-120.60306,destinationhost:samplehost,username:fakeuser,sourcehost:24.16.97.222,state:Washington,country:United States,label:United States - 24.16.97.222,timestamp:2021-10-26 03:28:29
latitude:-22.90906,longitude:-47.06455,destinationhost:samplehost,username:lnwbaq,sourcehost:20.195.228.49,state:Sao Paulo,country:Brazil,label:Brazil - 20.195.228.49,timestamp:2021-10-26 05:46:20
latitude:52.37022,longitude:4.89517,destinationhost:samplehost,username:CSNYDER,sourcehost:89.248.165.74,state:North Holland,country:Netherlands,label:Netherlands - 89.248.165.74,timestamp:2021-10-26 06:12:56
latitude:40.71455,longitude:-74.00714,destinationhost:samplehost,username:ADMINISTRATOR,sourcehost:72.45.247.
latitude:55.88802,longitude:37.65136,destinationhost:vm-sw,username:Mel,sourcehost:94.232.44.12,state:Central Federal District, country:Russia,label:Russia - 94.232.44.12,timestamp:2022-05-10 00:16:26
latitude:55.88802,longitude:37.65136,destinationhost:vm-sw,username:db2admin,sourcehost:94.232.44.12,state:Central Federal District, country:Russia,label:Russia - 94.232.44.12,timestamp:2022-05-10 00:16:24
latitude:55.88802,longitude:37.65136,destinationhost:vm-sw,username:Administrator,sourcehost:94.232.44.12,state:Central Federal District, country:Russia,label:Russia - 94.232.44.12,timestamp:2022-05-10 00:16:22
Third, record delimiter → new line & → Next
Next, in the collection paths section selects:
- Type: Windows
- Path (path of the log):
C:\ProgramData\failed_rdp.log
After, in the details section, we put a name for the custom log: FAILED_RDP_WITH_GEO and then create.
After aprox 20 minutes, we can query those logs in the Log analytics Workspace:
Nevertheless, those logs don’t have their fields created. Therefore, we have to parse the log with the following:
- select a log → right clic → Extract field from …
Notice the log has this format: field1:value,field2:value,field3:value...
according to the log format, we have to select each value and save it in a field name. for example, with latitude field we have to save the extraction:
For the rest of the field, we have to do the same process:
- select a log → right clic → Extract field from … → select the value of the field → give field name → select field type → extract → save extraction.
After some minutes, if you run again the query, you’ll see the new fields in the results sections for the new logs:
NOTE: in case that some of your field values in the search results is not highlighted, you have to modify that registry to correct its parsing.
Besides, in the Custom logs → Custom fields, we can see the field names we created previuosly. In case that one of those fields is presenting a wrong parsing, we have to delete the custom field and extract it again.
Setup map in sentinel with latitude and longitude (or country)
Now, in the Microsoft Sentinel section, we visit Workbooks → Add Workbook. Then, in edition mode, removing all the widgets.
Afterward, add → add query
paste this query:
1
2
3
FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF
| where destinationhost_CF != "samplehost"
| where sourcehost_CF != ""
the query shows real failed authentication attempts by counts
In order to create the map, we choose map as visualization and the map settings will be shown to configure properly the map:
- locations info using: we can choose latitude/longitude or country/region. For this example, we’re using country/region
- Country/Region field: country_cf
- size by: event_count
- Metric value: event_count
Finally, apply to update the map and save and close
Then, save the map, put a title: Failed RDP map, set the location, and save it.
At this moment, we have to wait some minutes or hours to see new failed authentications and see in the map.
