Lab Setup: Analyzing failed Brute force RDP Attacks on Honeypot VM and Analyzing the logs using SIEM
A Windows 10 VM was setup and acted as our public facing VM to the internet. Log Analytics workspace was used to collect Windows Security events from the VM. A custom alert rule was created in Microsoft Sentinel SIEM which analyzed the logs from the VM in the Log Analytics workspace
The alert rule is set to alert every 1hr incase an incident has occurred in the past one hour
The publicly exposed endpoint received 54 alert incidents over 24 hour period