SIEM Tutorial for Beginners | Azure Sentinel Tutorial MAP with LIVE CYBER ATTACKS!

Edit: Microsoft has changed the Azure portal and other things so much this lab is going to be difficult to follow. I will remake this video later, but a full up-to-date version of this is included on my cyber course below:
joshmadakor.tech/cyber

For anyone else having issues finding the Security Center, it's been renamed Microsoft Defender for the Cloud, and Pricing and Settings are now Environment Settings.

For anyone who is having trouble with the creating the custom log, azure has updated their selection panes for Log Analytics, tou can create custom logs by selecting Tables > Create> New Custom Log ( MMA-Based).

Its crazy that these labs don't seem to do as well on your channel but they're arguably the most valuable information on here. Your active directory lab, Security+, and your resume tips got me a job. Keep up the great content!

Josh has taught me more about SIEM in 53 minutes than any prof I've had in college

This video helped me land a job as a Security Analyst. It really impressed them. I appreciate your channel and all you do. I'll be looking out for your other Tutorials for sure.

This was my very first cybersecurity project. Creating the honeypot and seeing the live attacks was so exciting and helpful, as I am in the beginning stages of this journey. Thank you so much!

For those that need to find "custom log" tab , it is now "Tables" and then click create sample log!

For anyone else that was having trouble getting the "Store additional raw data - Windows security events" part to work like it does in the video (since the update), go to 'Microsoft Defender for Cloud', select the specific resource under your subscription, in my case 'law-honeypot', 'Enable all Microsoft Defender for Cloud Plans', uncheck 'SQL servers on machines' like Josh did, click Save, go to 'Data Collection' on the left side, select 'All Events', click Save and you should be good to go now. It took me a minute to figure this out, hope this helps someone else!

I know these labs probably don't get you the most views like other videos, but this stuff is very valuable. Thanks!

⭐️⭐️⭐️ UPDATE TO INSTRUCTIONS ⭐️⭐️⭐️
*Microsoft Azure changed the GUI for the portal! See below for Instructions!*
8:38 - When you go to enable Security Center, this is now called "Microsoft Defender for Cloud"
9:07 - For the Data Collection from VMs to the Log Analytics Workspace, this is now done in a different area under "Microsoft Defender for Cloud". See here for complete instructions: docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-

Just finished entire video. Excellent content and delivery. Appreciate the tech deep dive and the best practice too from grc perspective on mfa for all and not using default username/pass. Cheers

Actually good non-clickbait and career-oriented content. Pure gold channel

As soon as I ran the script I was getting bombarded with login attempts from China, Russia, Belize, and more. Super interesting. Thanks Josh, I'm really excited to add this to my portfolio.

For anyone having issues launching the VM using Azure:
I live on the East Coast, so naturally I was basing my VM out of the auto-selected East Coast server. I could never create the VM, it was just perpetually loading. I talked to support and they said that they're having capacity issues in the US East Coast specifically.
I changed it to an Australian server and it worked just fine.

Thank you Mr. Madakor. Having this on the resume really impressed my interviewers and I was able to finally land a job in the field. I greatly appreciate you for sharing this walk-through.

Just finished the lab and really enjoyed it. I’d say it took about 3-4 hours including some troubleshooting as things have changed since the video was made. Hopefully to save people time Azure Defender is now Microsoft Defender. I enabled Foundation CSPM and Servers which then allowed me to enable ALL ENTRIES Data Collection. Custom Logs is now called Tables and you will want to Create New and use MMA-Based. Lastly I started to get a “Invoke-WebRequest : The remote server returned an error: (429) Too Many Request.” in my Powershell output. I assume this means I went over my 1000 queries. I stopped the script and will enable again tomorrow to see if it works. Overall great lab, just a few things have moved or changed since 2021! Thank you Josh!

I am out of words to thank you! Im almost done with my cybersecurity bootcamp and this video is PRICELESS!!! if I find a SOC analyst job, its going to be because of you!! thank you sooooo much!!!!

When setting up the labels and extracting the raw data I had to do it in Microsoft Sentinel, then to custom logs. I would run the failed_rdp query and then would be able to check mark on the left of all the data. from there i would right click and it would let me extract and there I could do the custom fields! I hope this helps
What an amazing lab. This blew my mind as I started to get people trying to log in within 10 minutes of running the powershell code! Thank you so much!

You weren’t lying when you said 1k API requests weren’t a lot to work with. Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM.
I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well.
Great video. Very valuable.

First of all, thank you so much for this video Josh Madakor. I started to study IT for almost a year now and I know nothing before, Cloud compute still a strange thing for me but this lab was so amazing experience.
2nd for those who confuse about how to extract Rawdata to split table in Log Analytic, you can input:
failed_rdp_withGEO_CL #as in video
| extend CSVFields = split(RawData, ',') #this line use to split output after comma into seperate value with "" and create new column
| extend timestamp_CF = todatetime(CSVFields[8]) #choose value 9th in " "
| extend label_CF = tostring(CSVFields[7])
| extend country_CF = tostring(CSVFields[6])
| extend state_CF = tostring(CSVFields[5])
| extend source_CF = tostring(CSVFields[4])
| extend user_CF = tostring(CSVFields[3])
| extend dest_CF = tostring(CSVFields[2])
| extend longitude_CF = tostring(CSVFields[1])
| extend latitude_CF = tostring(CSVFields[0])
| summarize event_count=count() by source_CF, tostring(latitude_CF), tostring(longitude_CF), country_CF, label_CF, dest_CF
then go to Josh's script and delete other before ':' such as timestamp: or source: .The purpose is to show only data we want without explaination and ':' before value. You can find this line near the end of script
It will show clear table with clear data and then continue with Azure Sentinel as video. Thank you

I am gonna work on this project today before I apply for any more jobs and I'll keep you posted! Thank you for the videos! Seems VERY valuable information and it is exactly what's missing on my resume-actual hands-on projects. I can't thank you enough!

For anyone having trouble with the data extraction and map, plot paste this script in your workbook (where you plot the map) :
FAILED_RDP_WITH_GEO_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
This is just a combination of @MIAMIHACKER and Josh Madakor's queries so shout out to the both of you!

Hey Josh -- I'm trying to break into cyber security (just passed my Security+!) and your videos have been a HUGE help. Thank you for all you do!
This video in particular made for a really fun and rewarding project -- I put my SIEM together today following your instructions and it's awesome seeing it all come together.
Thanks again, and stay well!

Thank you so much for this Lab Josh, it was a pleasure to follow through with you, and I have learned a lot.
A quick note for anyone who made the mistake I did. When its time to create the custom log at minute 25:00 I made the mistake of having two lines of code so it was
1 FAILED_RDP_WITH_GEO_CL
2 |
this will give you an error code so delete line 2 and it should run perfectly, took me over an hour to figure out why I kept getting the error. I Also re-ran the powershell script just in case.

I highly recommend this for every Microsoft Shop. this can land you a job fairly quickly easy.

Just popped in my feed. Great video and look fwd to checking out your other vids. I make similar content on UA-cam and will be “borrowing” the idea of throwing up the resume bullet the person gets after executing the lab. Brilliant idea!

I watched the video and I'm gonna tackle the lab soon. Very cool!

I just finished this lab and it was very detailed and easy to follow. I got everything set up except for one issue:
When copying and pasting the Sentinel Map Query as is, it would say the query had no output. I had to delete this line "| where sourcehost_CF != "" " and then I was able to continue along and finish it all up.

Took me close to 5 hours but its up and running. Looking forward to more projects.

WOW!! This is a goal mine!! Awesome job, I just set mine up took about 2-3 hours but its up and running! Great skill to learn. Looking forward doing your other labs!! Thank you!

custom logs as a setting in Log Analytics workspaces
go to the Log Analytics workspace that you want to add the custom logs to.
In the left navigation pane, select Tables.
In the Tables blade, select New custom log (MMA-based).
In the New custom log blade, enter the following information:
Log name: The name of the custom log.
Description: A description of the custom log.
Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources.
Query: The query that will be used to extract data from the custom log.
Select Create.
Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.

Thank you so much Josh Madakor for this video, i was able to set mine in space of two hours. I will definitely use it on my resume.

Thank you Josh, for your invaluable assistance! I'm delighted to inform you that I've successfully completed this project and have incorporated it into my resume. The experience garnered from this endeavor has been immensely enriching and educational, contributing significantly to my professional growth. I am deeply grateful for your guidance and support throughout this process. Once again, thank you for the invaluable learning opportunity. ☺

Azure portal just loves being difficult. I have to use it at work so I thought this would be a quick lab (since I'm familiar) but NOPE. Thanks for the labs as always, Josh!

Josh, you are amazing man... im realizing how much initiative and knowledge it takes to bless the field like this, walking us through important maps of the CyberSecurity and IT field so casually and comprehensively truly an inspiration.

@JoshMadakor The option to extract data and create custom fields has been removed by Microsoft and replaced with "Data Collection Transformations", rendering this project extremely difficult to continue with if one is not familiar with Microsoft Azure.
If you can somehow update this video, I think that would be a huge help!
Thank you for all of your hard work!

Great Content Josh. Even though I am late to the party and Azure has been through multiple updates so the steps get out of wack in some instances, your community has come through like champs and I was able to finish this project. It was cool running through some roadblocks and trying to figure out how to get it to work and actually being able to implement some of the fixes provided. Hell of a first project.

Just completed this lab - set it up 3 days ago, got caught up and didn't get to finish till today. Had an absolute unit from the Netherlands log over 14k logon attempts. Next up is to configure a lockout policy lol. Incredible lab and a lot of the comments in here helped me navigate the changes. Can't say thank you enough, Josh!

Thanks a lot… this is on my resume, LinkedIn and I will do a video recap. Appreciate it

Josh pinned the comment for the Security Center/Data Collection, but here's full instructions so y'all don't have to suffer like I did.
> Watch Josh's awesome video until 8:38 (VM and LAW are set up) and then go to "Microsoft Defender for Cloud"
> Find and click on "Environment Settings" in lefthand toolbar
> Find and click on the dropdown arrow immediately next to your Azure subscription to reveal the NAME of your workspace (this is a critical detail that cost me a lot of time and pain, also bear in mind everything has to be deployed in order for this step to work)
> Click on the workspace name to open its settings
> In settings, disable "SQL servers on machines"
> In settings, enable "Servers"
> click the save button in the top left next to the search bar
> click on "Data Collection" in the lefthand toolbar
> Select "All Events" and save by clicking on the "Save" button
> jump back to Josh's awesome video and connect the VM to your LAW
> ...
> profit
ALSO bear in mind that there is regional weirdness with Sentinel. For whatever reason, I could not add Sentinel to a US West 3 workspace even though the documentation said it Sentinel was "non-regional"...anyway, I used US East and it worked like a charm.
Good luck lads and lasses, and thanks again Josh for the amazing content! :)

for anyone having troubles with security center type data collection rules in azure search bar then click create and set your window event logs ingestions rules right there also for custom logs to be ingested you have to create another DCR with a data collection endpoint with a path pointing to the failed_rdp.log . To make it simple monitor section is the new security center in Azure. Lastly make sure you rdp into your windows vm and run the log exporter powershell script if you're not getting the failed_rdp_with_geo log populated in azure

For those having trouble with the parsing part and creating a kql query, this worked for me.
Failed_RDP_With_GEO_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" DestinationHost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ", country:" Country ",label:" Label ",timestamp:" Timestamp
| extend EventCount = 1
//| summarize event_count = sum(EventCount) by Sourcehost, Latitude, Longitude, Country, Label, DestinationHost
| summarize event_count = sum(EventCount) by Latitude, Longitude, DestinationHost, Username, Sourcehost, State, Country,Label, Timestamp
| project Latitude, Longitude, DestinationHost, Username, Sourcehost, State, Country, Label, Timestamp
Updated: 8/3/2024

26:20 Azure does not have the three dots with an action option anymore. Instead, just right-click on the log you want and there's an extract fields option.

im think youre the only creator i came accross that aint gate keeping informations like this. I appreciate what youre doing. you have my support good sir!

Hey Josh, great tutorial but it seems hard to cintue after 23.:30 as azure seems to have changed. There is no location in the Security Event Display for me to view the raw data containing Longitude and Latitude and finish the project

Thank you Mr Josh I am now a real cyber security graduate with your videos. A million Thanks.

ive been looking into setting up sentinel lol i think itll be a major player one day seeing as alot of environments use O365 and Azure

@Josh Madakor Thank you immensely for offering this incredible hands-on lab experience. I've learned the entire setup cycle from the basics in the simplest way possible. Hats off to you, and I'm eagerly looking forward to continuing my learning journey with you.

This was a very interesting sim. I will remember to recommend it to those looking to get into cyber security. Are there other projects that you can create for experience?

Half way through and it's a great tutorial. I tried geolocating my IP address on the website you recommended and it said Birmingham UK when I live in London UK. There are other websites that came within a couple miles though!

You’re the best Josh. These videos have really helped me in my WGU journey. Six months ago I left healthcare and got my first tech support job, and now I’m transitioning to another one with even more pay and a better commute.
I still haven’t cracked into cyber security yet, but I’m networking with my security analyst and SOC analyst friends to make inroads. These labs will certainly make my resume standout too!
Hey, maybe when I get my first info sec job by this time next year you can interview me too! Only half kidding about that 😂

Hey everyone, I know I'm a bit late to the party on this project, but I just finished it up today (12/15/2023)! Due to some recent changes in the Microsoft Azure portal, the setup process is slightly different now compared to what you might have seen earlier this year. However, the overall steps are still quite similar. Big thanks to @Josh Madakor for this awesome lesson - I learned a ton!

The three dots next to the logs aren't there anymore and you don't have to expand the field just right click the title of log to extract

Hi Josh, thanks for doing this. I'm so excited to try this now. I am just transitioning into this cybersecurity space with no previous IT experience and I must say your videos have been really helpful.

Man these labs really need attention from the cybersecurity audience.

At 21:44 for those who can't find custom logs under settings tabs >> Go to Tables >> Create >> New Custom log (MMA - Based)

Hello Josh, thank you so much for taking the time to make videos like these. I plan to do a few of your projects to beef up my resume.
But when doing this one, I keep getitng the error saying that I can't connect to the VM with an RDP. I've run all the necessary tests and it should be up and running, but something is keeping me from connecting. I have even tried it with my firewall completely turned off and still nothing.
Getting error code 0x204. I even bought Pro just for this and it still isn't working :/

I just finished this video!! I can't Thank you enough!!! Thanks for sharing a such valuable information... You are helping and inspiring new cybersecurity students to get the experience we need! THANNK YOU!!!

Dump question but how do we make sure that nobody actually get to log on into the machine by brute forcing the password/exploiting other weaknesses ?

I'm glad I found this channel. The explanations are very straight forward and clear.

@joshMadakor Microsoft has changed the Custom fields option , so right clicking on the result from a query does not show the extract fields option, any ideas to extract the raw data columns to get longitude , latitude etc would be appreciated

Pretty nice, thanks for sharing, I am not a cybersecurity, but l would love to try this. This is vey cool.

Hey Josh. When creating the custom log, the Log Analytics Workspace keeps throwing the error, "Query could not be parsed at '' on line [3,0] Token: Line: 3 Position: 0"
when I try to run the custom log. It throws the same error for all commands including the Security event. Any ideas?
Edit: I had to run the logs from Sentinel and not the LAW. Talked to the support team and it was a weird bug. Everything else went great. Thanks so much for the help. I am going to school in the fall for cybersecurity at a local college. You have inspired me! Looking forward to the next video!

Glad I stumbled across this! I work in the Microsoft space (MSFT partner) and we're slowing moving away from just a UC shop to encompass the entire M365 suite (and eventually Azure security), so this is extremely helpful! Hope you continue to do more content like this!

How the hell do we 'extract fields' ??? I'm stuck smh

This was super interesting, im working on a research assignment for SIEMs and now I really want to try this lab! All your videos have been really informative and interesting thank you!

First Cybersec project I've done and wow how intersting was that. Thank you so much for the video Josh, hope to see more from you in the future, much appriciated.

The comments help alot. As of today save time and select UK south as region for everything or you have to delete and start over it won't move right

One obvious thing you can do to help you think which machine you are on (your native machine or the VM) is to change the appearance of the VM from your native one -- change the fonts it uses for display, some of the colors, things like that, so it looks radically different from your "normal" machine. Your brain will learn to key in on this info automatically, so it won't attempt to let you do something "in the wrong place".

Issue: no results returned when querying SecurityEvent in log analytics workspace logs.
To Fix: Search diagnostic setting - Edit settings - toggle allLogs - toggle Send to Log Analytics workspace.

Thanks Josh, this helped to understand how we can track cyber attacks.

Great video, thank you for helping me fill some experience on my resume!

Gonna try this out today ! I just spun up two VMs yesterday

Sensi Josh lol, Thank you again for this, i feel like I have set up correctly I have my maps with my 5 attempts but after 20 mins no one is attempting my Honey pot, Im go to sleep and check again tomorrow! will update.Thanks again

Josh I really want to thank you for making these videos. They're easy to follow and seriously helping me beef up my resume. Keep it up!

your channel is GOLDEN josh.... Im really glad you started youtube and was lucky to have found you bro!!!!!!

Man I love the labs that you put out! Super helpful especially for us trying to break into the industry

Thank You, for making this. Great exposure to azure and its capabilities. Just finished this Project - Cant Wait to add it on the resume.
Watch your Spelling people! I had an Azure Sentinel query error- only because I called the LAW query a different name!
I did re train - country 2x - as I Found Belize & Taiwan messing up the posted query Results.

I did this on my home lab and I'm curious to do more tweaking on sentinel. Keep up the good work and thanks for sharing this valuable content. It helps security professionals and cloud engineers to break into job market or learn a new tech. You're the best.

Love these videos! Thank you! Great way to addy his to my list of projects. Unfortunately my company does not have sentinel in our subscription plan and this will be some great experience down the line. Thank you

For the sentinel map query people are having issues with, I was able to get it to work by matching the query to the extract filters exactly. I extracted my filters in ALL CAPS, and i realized the query would only work if I entered them in ALL CAPS to match.

Appreciate the video. Great and clear information. Really enjoyed getting some exposure to Azure Sentinel as well as a data from active attacks.

Great video! I just finished this project last night and it was a fun awesome experience. You did a great job instructing us through and explaining each step. I’m going to make write my first blog post, thank you for all you do and your videos!

This was really awesome to do and gain experience with, I may be able to implement this with my new position since we're cloud based anyway. But at least knowing how to do this is incredibly valuable, thanks so much Josh!

Thanks Josh for the labs and information regarding cybersecurity. Really helpful and they have inspired me to start thinking about a career in cybersecurity seriously. I am trying out this lab however I am kinda stuck trying to connect to VM through Remote Connection (RDP). I am able to ping the public IP for the VM but just can't connect through remote connection. Anyone else who may have seen something similar e and how they got around it? I have copied the failed connection message below while trying to connect through remote connection.
[Window Title]
Remote Desktop Connection
[Content]
Remote Desktop can't connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network
Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.
[^] Hide details [OK]
[Expanded Information]
Error code: 0x204
Extended error code: 0x0

Thanks for this lab Josh!!! We need more hands on tutorials like this on UA-cam, for those who are transferring into the field. I'm 90% done and ran into the "summarize' operator:" error. I found no answers that worked, but I've learned so much already. I'm still going to put this on my resume. I just shut down the machine as I saw a success Brute Force attack. This was a very interesting experience, thanks again!

Thank you so much for this video. I cannot stress enough how much you have done for my professionalism and resume. You are the man!!!

Bro this is so much fun, I've got two from Iran a few hundred from the netherlands and even a few from my own country UK :) this was a really great video thank you

Thanks for the excellent video man. I had some trouble with setting up Azure Defender as the process you explained changed literally in the short timeframe in which you uploaded this video. I stayed with it thou and eventually found the section to enable it for my test vm and was able to follow all of the other steps with no problems. Currently studying the SSCP and just listened to a DarkNet diary per your recommendation in another one of your videos. So glad YT recommended you man, keep doing your thing.

Just finished this lab! THX you so much. I am going to put this on my resume. I definitely think this will help since i just got my sec+

Pretty dope project. I mixed your project with the cyber mentor AD lab setup, and I think I have something solid now. I plan to add more alert capabilities and dashboards in the future.

Aye, just did some Splunk training and realised that me thinking to pay for the more api calls was dumb cause it does it for free via geostats/iplocation. anyways, been modifying my siem enviroment over time and its been looking really cool. plus once i finally figure out how to setup these forwarders, the homelab will🔥🔥🔥

Josh Kudos for your efforts.. this is brilliant..

Thanks Josh for the great project idea and the video. The way things have changed in the azure portal, just felt insane to get field extraction done. Was able to get the data and additional fields returned through KQL, and getting a DCR setup, but I ran into so many hurdles. I don’t know why Microsoft/azure has to make things so difficult.

Hey josh, please create more videos like this. This is really helpful.

Had to rewatch beginning couple of times because I couldn't login, figured it out, I had ubuntu as the default instead of Windows

Thank you sir for this wonderful project which I used in information security course 👍 and I learnt many information from it, ofcourse I got good marks, 🤙

Thanks for this video, it is really helpful to see a live use practical exercise for Azure.

I lOVE YOU SIR. FROM NIGERIA, I JUST STARTED MY MSC IN CYBER SECURITY, AND I CURRENTLY INTERN WITH A COMPANY IN LAGOS ONLINE. I'M LEARNING A PATH IN THE BLUETEAM, AND I FIND YOUR CONTENT JUST PERFECT FOR ME AT THE MOMENT. I'D LIKE TO CONNECT WITH YOU SIR.