Edit: Microsoft has changed the Azure portal and other things so much this lab is going to be difficult to follow. I will remake this video later, but a full up-to-date version of this is included on my cyber course below: joshmadakor.tech/cyber
Heyy Josh, Thanks for this tutorial. I have almost managed to get everything right but just now got stuck on extracting values from RawData. I can't simply find any options or buttons for that on the panel. If you have the solution please let me know. Thanks again, looking forward to hearing back from you :)
For anyone else having issues finding the Security Center, it's been renamed Microsoft Defender for the Cloud, and Pricing and Settings are now Environment Settings.
For anyone who is having trouble with the creating the custom log, azure has updated their selection panes for Log Analytics, tou can create custom logs by selecting Tables > Create> New Custom Log ( MMA-Based).
Its crazy that these labs don't seem to do as well on your channel but they're arguably the most valuable information on here. Your active directory lab, Security+, and your resume tips got me a job. Keep up the great content!
Lol, I complain to this about my friends all the time. "Nobody cares about my videos that are actually good 😡" lmao 😂. I just try to balance them though. And super glad to hear about your job. Great work!! And thanks for watching :)
@@JoshMadakor This is crazy that people don't watch this video more than the others. I'm in it for the deep dive into the nitty gritty like this. This stuff is WAY valuable info. I wonder if most people are just too lazy so they skip past videos like these. You know what they say.. It's lonely at the top. When you do high quality videos such as this the top high quality viewers watch it while the 'lesser sages' skip it. haha
@joshmadakor, this stuff is absolute gold! Thanks SOOOO much for sharing this. I wish I'd have had you as an instructor when I was getting my cybersecurity degrees at Edmonds; It sounds like I missed your time there by just a few quarters.
This was my very first cybersecurity project. Creating the honeypot and seeing the live attacks was so exciting and helpful, as I am in the beginning stages of this journey. Thank you so much!
This video helped me land a job as a Security Analyst. It really impressed them. I appreciate your channel and all you do. I'll be looking out for your other Tutorials for sure.
That is beautiful, super congratulations!!! Thank you for sharing. I wish I could have seen what your attack map looked like. Everyone's is different and it's so interesting to me :> Again, huge congrats!
Hi Ronny firstly congrats on your job , how did you express this project to your interviewer, did you make any documentation of this project and added it to your resume?
@@vijaykishorea3987 I waited until they asked me a relevant question, and when they did I used that as a chance to bring it up. I believe the question was "What do you do at home to improve your skillset?" Or something like that. I pulled up the map of the countries that have already tried to get into my honeypot and mentioned what it is and how I did it. Giving credit to Josh, of course.
For anyone else that was having trouble getting the "Store additional raw data - Windows security events" part to work like it does in the video (since the update), go to 'Microsoft Defender for Cloud', select the specific resource under your subscription, in my case 'law-honeypot', 'Enable all Microsoft Defender for Cloud Plans', uncheck 'SQL servers on machines' like Josh did, click Save, go to 'Data Collection' on the left side, select 'All Events', click Save and you should be good to go now. It took me a minute to figure this out, hope this helps someone else!
⭐️⭐️⭐️ UPDATE TO INSTRUCTIONS ⭐️⭐️⭐️ *Microsoft Azure changed the GUI for the portal! See below for Instructions!* 8:38 - When you go to enable Security Center, this is now called "Microsoft Defender for Cloud" 9:07 - For the Data Collection from VMs to the Log Analytics Workspace, this is now done in a different area under "Microsoft Defender for Cloud". See here for complete instructions: docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-
Just finished entire video. Excellent content and delivery. Appreciate the tech deep dive and the best practice too from grc perspective on mfa for all and not using default username/pass. Cheers
Hey man! Honored to see you here. I actually discovered DSU CyberOps PhD through your channel. After watching your videos, I actually got my Masters in Cyber and BS in Computer science for the sole purpose of being able to apply to that program....then I started doing UA-cam more seriously haha. I don't know what I'll do in the future, but your videos impacted me, so thank you :)
Lol thanks so much, and yeah. It's really funny and something I complain a lot about to my friends. "nobody likes my videos that are actually good." 😭🤣🤣
@@mgray999 I noticed it's really hard to get SIEM experience without already having it. Luckily we can now setup our own cloud SIEM and throw a bunch of dangerous VMs out on the internet to be attacked :D, hahaha
@@nappy203 custom logs as a setting in Log Analytics workspaces go to the Log Analytics workspace that you want to add the custom logs to. In the left navigation pane, select Tables. In the Tables blade, select New custom log (MMA-based). In the New custom log blade, enter the following information: Log name: The name of the custom log. Description: A description of the custom log. Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources. Query: The query that will be used to extract data from the custom log. Select Create. Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.
Thank you Mr. Madakor. Having this on the resume really impressed my interviewers and I was able to finally land a job in the field. I greatly appreciate you for sharing this walk-through.
As soon as I ran the script I was getting bombarded with login attempts from China, Russia, Belize, and more. Super interesting. Thanks Josh, I'm really excited to add this to my portfolio.
I am out of words to thank you! Im almost done with my cybersecurity bootcamp and this video is PRICELESS!!! if I find a SOC analyst job, its going to be because of you!! thank you sooooo much!!!!
For anyone having issues launching the VM using Azure: I live on the East Coast, so naturally I was basing my VM out of the auto-selected East Coast server. I could never create the VM, it was just perpetually loading. I talked to support and they said that they're having capacity issues in the US East Coast specifically. I changed it to an Australian server and it worked just fine.
im think youre the only creator i came accross that aint gate keeping informations like this. I appreciate what youre doing. you have my support good sir!
Just popped in my feed. Great video and look fwd to checking out your other vids. I make similar content on UA-cam and will be “borrowing” the idea of throwing up the resume bullet the person gets after executing the lab. Brilliant idea!
When setting up the labels and extracting the raw data I had to do it in Microsoft Sentinel, then to custom logs. I would run the failed_rdp query and then would be able to check mark on the left of all the data. from there i would right click and it would let me extract and there I could do the custom fields! I hope this helps What an amazing lab. This blew my mind as I started to get people trying to log in within 10 minutes of running the powershell code! Thank you so much!
Thank you so much for this Lab Josh, it was a pleasure to follow through with you, and I have learned a lot. A quick note for anyone who made the mistake I did. When its time to create the custom log at minute 25:00 I made the mistake of having two lines of code so it was 1 FAILED_RDP_WITH_GEO_CL 2 | this will give you an error code so delete line 2 and it should run perfectly, took me over an hour to figure out why I kept getting the error. I Also re-ran the powershell script just in case.
Hey Josh -- I'm trying to break into cyber security (just passed my Security+!) and your videos have been a HUGE help. Thank you for all you do! This video in particular made for a really fun and rewarding project -- I put my SIEM together today following your instructions and it's awesome seeing it all come together. Thanks again, and stay well!
@@dummyahh8470 I'm currently working IT helpdesk at an MSP but am working my way into Cyber Security specifically. Gotta start somewhere! Congrats on your Sec+!
26:20 Azure does not have the three dots with an action option anymore. Instead, just right-click on the log you want and there's an extract fields option.
Hi Austin, did you see the data displayed? I am stuck in that part because right-click on the log, the window opens but nothing appears? Can someone guide me? @josh? Thanks
Just finished the lab and really enjoyed it. I’d say it took about 3-4 hours including some troubleshooting as things have changed since the video was made. Hopefully to save people time Azure Defender is now Microsoft Defender. I enabled Foundation CSPM and Servers which then allowed me to enable ALL ENTRIES Data Collection. Custom Logs is now called Tables and you will want to Create New and use MMA-Based. Lastly I started to get a “Invoke-WebRequest : The remote server returned an error: (429) Too Many Request.” in my Powershell output. I assume this means I went over my 1000 queries. I stopped the script and will enable again tomorrow to see if it works. Overall great lab, just a few things have moved or changed since 2021! Thank you Josh!
@@Z-life-online I will attempt again later I waited 2 hours and nothing going to have to start from the beginning. Thanks though i appreciate any help :).
Josh, you are amazing man... im realizing how much initiative and knowledge it takes to bless the field like this, walking us through important maps of the CyberSecurity and IT field so casually and comprehensively truly an inspiration.
I am gonna work on this project today before I apply for any more jobs and I'll keep you posted! Thank you for the videos! Seems VERY valuable information and it is exactly what's missing on my resume-actual hands-on projects. I can't thank you enough!
@@nappy203 Hey, I also got stuck when extracting the logs-> Custom fields part. The 3 dots to extract are no longer there as MS azure is updated. Do you perhaps know where I can find it?
@@oagengmabiletsa281 I posted here what I did with links but the comments got deleted. So I don’t know how to help you. I made a channel “Cyber blogpost” on UA-cam. I posted the video there. It’s only one.
WOW!! This is a goal mine!! Awesome job, I just set mine up took about 2-3 hours but its up and running! Great skill to learn. Looking forward doing your other labs!! Thank you!
Hey Toukee! Glad you liked the lab! 2-3 hours is quite fast for this actually. it takes a while to get stuff working and then can take some time before the bad guys notice it and start attacking haha. Thanks for commenting :)
Just completed this lab - set it up 3 days ago, got caught up and didn't get to finish till today. Had an absolute unit from the Netherlands log over 14k logon attempts. Next up is to configure a lockout policy lol. Incredible lab and a lot of the comments in here helped me navigate the changes. Can't say thank you enough, Josh!
For anyone having trouble with the data extraction and map, plot paste this script in your workbook (where you plot the map) : FAILED_RDP_WITH_GEO_CL | extend username = extract(@"username:([^,]+)", 1, RawData), timestamp = extract(@"timestamp:([^,]+)", 1, RawData), latitude = extract(@"latitude:([^,]+)", 1, RawData), longitude = extract(@"longitude:([^,]+)", 1, RawData), sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData), state = extract(@"state:([^,]+)", 1, RawData), label = extract(@"label:([^,]+)", 1, RawData), destination = extract(@"destinationhost:([^,]+)", 1, RawData), country = extract(@"country:([^,]+)", 1, RawData) | where destination != "samplehost" | where sourcehost != "" | summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country This is just a combination of @MIAMIHACKER and Josh Madakor's queries so shout out to the both of you!
Thank you for posting this! Small modification to the last line to display the query like seen in the data extraction part: | summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude
@@dummyahh8470 Yes where you would enter the query (35:40 for reference) you would enter the script above instead of just the “FAILED_RDP_WITH_GEO_CL” or whatever you named your log file. This “bypasses” the whole extraction portion of the video. Keep in mind you will need to paste this same script into the map workbook when you create it.
You weren’t lying when you said 1k API requests weren’t a lot to work with. Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM. I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well. Great video. Very valuable.
_>Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM._ Lmao, I'm dead, hahaha. Yeah, they will eat it up real quick. _>I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well. _ Cool, I'll check this out sometime! I also learned of another services that gives Geolocation from IP address. I guess you can get 25k requests for free from here, but it will require you to rework the PowerShell script a bit: ipinfo.io/ Thanks for watching and thanks for the funny/good info lol
@@JoshMadakor I cannot get any logs out using the query. It states " No results found from the last 7 days Try selecting another time range " I connected the vm to the log management
Great Content Josh. Even though I am late to the party and Azure has been through multiple updates so the steps get out of wack in some instances, your community has come through like champs and I was able to finish this project. It was cool running through some roadblocks and trying to figure out how to get it to work and actually being able to implement some of the fixes provided. Hell of a first project.
@Josh Madakor Thank you immensely for offering this incredible hands-on lab experience. I've learned the entire setup cycle from the basics in the simplest way possible. Hats off to you, and I'm eagerly looking forward to continuing my learning journey with you.
Hi Josh, thanks for doing this. I'm so excited to try this now. I am just transitioning into this cybersecurity space with no previous IT experience and I must say your videos have been really helpful.
Hey! It's funny, I've actually had a couple people tell me they talked about this lab in their interview and then they subsequently got hired, haha. I'm sure they brought other stuff to the table, but it's nice to see!
@@JoshMadakor I doubt it - you can’t just get the job like that. You got to have hands on skills unless they got hired for monitoring Sentinel- Sentinel is one one of the easiest way to learn any SIEM specifically if you are running M365 services. This where you get to do the Engineering work
First of all, thank you so much for this video Josh Madakor. I started to study IT for almost a year now and I know nothing before, Cloud compute still a strange thing for me but this lab was so amazing experience. 2nd for those who confuse about how to extract Rawdata to split table in Log Analytic, you can input: failed_rdp_withGEO_CL #as in video | extend CSVFields = split(RawData, ',') #this line use to split output after comma into seperate value with "" and create new column | extend timestamp_CF = todatetime(CSVFields[8]) #choose value 9th in " " | extend label_CF = tostring(CSVFields[7]) | extend country_CF = tostring(CSVFields[6]) | extend state_CF = tostring(CSVFields[5]) | extend source_CF = tostring(CSVFields[4]) | extend user_CF = tostring(CSVFields[3]) | extend dest_CF = tostring(CSVFields[2]) | extend longitude_CF = tostring(CSVFields[1]) | extend latitude_CF = tostring(CSVFields[0]) | summarize event_count=count() by source_CF, tostring(latitude_CF), tostring(longitude_CF), country_CF, label_CF, dest_CF then go to Josh's script and delete other before ':' such as timestamp: or source: .The purpose is to show only data we want without explaination and ':' before value. You can find this line near the end of script It will show clear table with clear data and then continue with Azure Sentinel as video. Thank you
I just finished this lab and it was very detailed and easy to follow. I got everything set up except for one issue: When copying and pasting the Sentinel Map Query as is, it would say the query had no output. I had to delete this line "| where sourcehost_CF != "" " and then I was able to continue along and finish it all up.
I just finished this video!! I can't Thank you enough!!! Thanks for sharing a such valuable information... You are helping and inspiring new cybersecurity students to get the experience we need! THANNK YOU!!!
PEOPLE IN 2024: Microsoft has CHANGED MANY FEATURES in Azure that are used in this video. For the query, ignore the part about extracting to custom fields and instead put in this KQL: FAILED_LOG_GEO_LC_CL |extend username = extract(@"username:([^,]+)", 1, RawData), timestamp = extract(@"timestamp:([^,]+)", 1, RawData), latitude = extract(@"latitude:([^,]+)", 1, RawData), longitude = extract(@"longitude:([^,]+)", 1, RawData), sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData), state = extract(@"state:([^,]+)", 1, RawData), label = extract(@"label:([^,]+)", 1, RawData), destination = extract(@"destinationhost:([^,]+)", 1, RawData), country = extract(@"country:([^,]+)", 1, RawData) |where destination != "samplehost" |where sourcehost != "" |summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude medium.com/@michaellopezcs17/how-to-create-a-siem-microsoft-sentinel-2024-46ab6c7cfb8c
This was super interesting, im working on a research assignment for SIEMs and now I really want to try this lab! All your videos have been really informative and interesting thank you!
Azure portal just loves being difficult. I have to use it at work so I thought this would be a quick lab (since I'm familiar) but NOPE. Thanks for the labs as always, Josh!
Hey again William! Haha sorry about that. I know...they change it so often. Maybe the next Azure lab I will do everything with raw rest API requests so it changes less lmao 😂
Thank you Josh, for your invaluable assistance! I'm delighted to inform you that I've successfully completed this project and have incorporated it into my resume. The experience garnered from this endeavor has been immensely enriching and educational, contributing significantly to my professional growth. I am deeply grateful for your guidance and support throughout this process. Once again, thank you for the invaluable learning opportunity. ☺
custom logs as a setting in Log Analytics workspaces go to the Log Analytics workspace that you want to add the custom logs to. In the left navigation pane, select Tables. In the Tables blade, select New custom log (MMA-based). In the New custom log blade, enter the following information: Log name: The name of the custom log. Description: A description of the custom log. Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources. Query: The query that will be used to extract data from the custom log. Select Create. Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.
MMA-based doesn't work like that any longer. Now, after I select MMA-based, it asks me to upload a sample of the custom log. Any idea how to get around that???
Phewwwww, I managed to get get the lab done. I just finished the lab and have to leave it running and come back tomorrow as I already hit my 1000 limit with the ipgeolocation. Josh, thanks a lot.
Josh pinned the comment for the Security Center/Data Collection, but here's full instructions so y'all don't have to suffer like I did. > Watch Josh's awesome video until 8:38 (VM and LAW are set up) and then go to "Microsoft Defender for Cloud" > Find and click on "Environment Settings" in lefthand toolbar > Find and click on the dropdown arrow immediately next to your Azure subscription to reveal the NAME of your workspace (this is a critical detail that cost me a lot of time and pain, also bear in mind everything has to be deployed in order for this step to work) > Click on the workspace name to open its settings > In settings, disable "SQL servers on machines" > In settings, enable "Servers" > click the save button in the top left next to the search bar > click on "Data Collection" in the lefthand toolbar > Select "All Events" and save by clicking on the "Save" button > jump back to Josh's awesome video and connect the VM to your LAW > ... > profit ALSO bear in mind that there is regional weirdness with Sentinel. For whatever reason, I could not add Sentinel to a US West 3 workspace even though the documentation said it Sentinel was "non-regional"...anyway, I used US East and it worked like a charm. Good luck lads and lasses, and thanks again Josh for the amazing content! :)
@@JoshMadakor if we're being #real though, I was writing this all down because I am gonna turn it into a blog/LinkedIn post, so happy to re-post it here and someone else from banging their head against the documentation / Azure interface like I did lmao. It took
@JoshMadakor The option to extract data and create custom fields has been removed by Microsoft and replaced with "Data Collection Transformations", rendering this project extremely difficult to continue with if one is not familiar with Microsoft Azure. If you can somehow update this video, I think that would be a huge help! Thank you for all of your hard work!
You’re the best Josh. These videos have really helped me in my WGU journey. Six months ago I left healthcare and got my first tech support job, and now I’m transitioning to another one with even more pay and a better commute. I still haven’t cracked into cyber security yet, but I’m networking with my security analyst and SOC analyst friends to make inroads. These labs will certainly make my resume standout too! Hey, maybe when I get my first info sec job by this time next year you can interview me too! Only half kidding about that 😂
Hey Josh, great tutorial but it seems hard to cintue after 23.:30 as azure seems to have changed. There is no location in the Security Event Display for me to view the raw data containing Longitude and Latitude and finish the project
Yeah for sure, and the fact than you can literally spin up a pay-as-you-go SIEM in like 1 minute. Seems absolutely great! I want to explore it more myself :)
Great video! I just finished this project last night and it was a fun awesome experience. You did a great job instructing us through and explaining each step. I’m going to make write my first blog post, thank you for all you do and your videos!
Heck yeah, good job setting it up. This was one of my favorite ones so I'm glad you liked it. GL with the blog post. I'm uploaded a video (not yet live) where I go over sample resume and a sample blog that includes this lab. Feel free to check it out ahead of time :) ua-cam.com/video/Y_AyHBtQ-U8/v-deo.html
This was a very interesting sim. I will remember to recommend it to those looking to get into cyber security. Are there other projects that you can create for experience?
Hey man! Yeah, I'm going to make a few more, but right now I have a playlist with a few technical demos! Check it out: ua-cam.com/play/PLqBeiU46hx1H--SNfTrohTOWeqkK-M2Y0.html
Further to my comment below a couple minutes ago, During the first try of setting up custom log, I was able to ingest the logs in log analytics. I could see the output to the query "Failed_RDP_Log_Geo_CL" but then trying to extract the fields from it never worked. So, I tried creating the new custom log (DCR-based) but this was way too difficult for me.... Anyhoo, appreciate all the help you have been providing. Cheers Josh
@joshMadakor Microsoft has changed the Custom fields option , so right clicking on the result from a query does not show the extract fields option, any ideas to extract the raw data columns to get longitude , latitude etc would be appreciated
You can use KQL Regex. I would ask chatgpt to make a KQL regex to extract the latitude and longitude, then you can use that KQL query it generates. I know this answer is kinda wishywashy, but it's the best way that comes to mind :)
Glad I stumbled across this! I work in the Microsoft space (MSFT partner) and we're slowing moving away from just a UC shop to encompass the entire M365 suite (and eventually Azure security), so this is extremely helpful! Hope you continue to do more content like this!
Hey! I'm glad you like the content. I'm sure I will do more like this in the future. I really enjoy SIEM/live stuff. Seeing people try to break into my stuff is really hilarious lol
First Cybersec project I've done and wow how intersting was that. Thank you so much for the video Josh, hope to see more from you in the future, much appriciated.
Hello Josh, thank you so much for taking the time to make videos like these. I plan to do a few of your projects to beef up my resume. But when doing this one, I keep getitng the error saying that I can't connect to the VM with an RDP. I've run all the necessary tests and it should be up and running, but something is keeping me from connecting. I have even tried it with my firewall completely turned off and still nothing. Getting error code 0x204. I even bought Pro just for this and it still isn't working :/
It's not a dumb question at all! There are a couple options: 1) Using 2-factor-authentication somehow (windows hello, etc) 2) Using a password lockout policy that will lock the account after x-failed attempts 3) Using a really strong password helps. And remember, there is always a way in if the attacker has enough time and money :)
Thanks for the excellent video man. I had some trouble with setting up Azure Defender as the process you explained changed literally in the short timeframe in which you uploaded this video. I stayed with it thou and eventually found the section to enable it for my test vm and was able to follow all of the other steps with no problems. Currently studying the SSCP and just listened to a DarkNet diary per your recommendation in another one of your videos. So glad YT recommended you man, keep doing your thing.
Ah yeah, omg defender seriously changed right when I released this. I knew that would happen. I'll have to research it and pin a comment or something lol 😩. Glad you did the lab! Hope it was fun! . Glad you found the channel! Thanks for watching and best of luck :) (Darknet is so dope, haha)
@@Kevin-zy5jm so I kind if stumbled upon after going through different sections of the azure portal. It’s on the bottom of the page of either Azure Sentinel or Log Analytics workspaces if I recall correctly. Sorry, I should have better documented what I did since things changed up.
Hey Josh. When creating the custom log, the Log Analytics Workspace keeps throwing the error, "Query could not be parsed at '' on line [3,0] Token: Line: 3 Position: 0" when I try to run the custom log. It throws the same error for all commands including the Security event. Any ideas? Edit: I had to run the logs from Sentinel and not the LAW. Talked to the support team and it was a weird bug. Everything else went great. Thanks so much for the help. I am going to school in the fall for cybersecurity at a local college. You have inspired me! Looking forward to the next video!
@@danielopara1006 did you get it fixed? Im having problems with same error but in LAW and sentinel. if you got it fixed, can you share the solution here? thanks
hey guys, you have to delete the lines below the first line. Only the first line in your query should be showing. He mumbles something about it if you watch that part again.
Half way through and it's a great tutorial. I tried geolocating my IP address on the website you recommended and it said Birmingham UK when I live in London UK. There are other websites that came within a couple miles though!
Bro this is so much fun, I've got two from Iran a few hundred from the netherlands and even a few from my own country UK :) this was a really great video thank you
Thank you josh! I just got stuck in a session that I could not see the 3 dots (26:20) in my interface, so I failed to extract field from the custom log . Can anyone give me some advice please?
I did this on my home lab and I'm curious to do more tweaking on sentinel. Keep up the good work and thanks for sharing this valuable content. It helps security professionals and cloud engineers to break into job market or learn a new tech. You're the best.
Thank You, for making this. Great exposure to azure and its capabilities. Just finished this Project - Cant Wait to add it on the resume. Watch your Spelling people! I had an Azure Sentinel query error- only because I called the LAW query a different name! I did re train - country 2x - as I Found Belize & Taiwan messing up the posted query Results.
Thanks for this lab Josh!!! We need more hands on tutorials like this on UA-cam, for those who are transferring into the field. I'm 90% done and ran into the "summarize' operator:" error. I found no answers that worked, but I've learned so much already. I'm still going to put this on my resume. I just shut down the machine as I saw a success Brute Force attack. This was a very interesting experience, thanks again!
@@Dxhard Sample resumes with these projects are in the description of this video. I just used some of the concepts and added the learning experience I had during the project.
I just ran into the same issue. Turns out, I hadn't extracted destinationhost_CF. Once I went back to the analytics and added that extraction field, ran it again in sentinel everything ran smoothly!
This was really awesome to do and gain experience with, I may be able to implement this with my new position since we're cloud based anyway. But at least knowing how to do this is incredibly valuable, thanks so much Josh!
Hey everyone, I know I'm a bit late to the party on this project, but I just finished it up today (12/15/2023)! Due to some recent changes in the Microsoft Azure portal, the setup process is slightly different now compared to what you might have seen earlier this year. However, the overall steps are still quite similar. Big thanks to @Josh Madakor for this awesome lesson - I learned a ton!
Love these videos! Thank you! Great way to addy his to my list of projects. Unfortunately my company does not have sentinel in our subscription plan and this will be some great experience down the line. Thank you
No problem! Glad you liked it! If you wanna play with it, I would just make a free sub, just make sure to clean it up afterwards so MS doesn't take all of your coins lol.
Cool! Good luck with it! I know the Azure Portal has changed a bit since I made this video, but there are some comments talking about how to navigate it
Thank you so much for this training video. I have learned a lot just by watching your tutorial, I am going to create this lab after I watch your tutorial. Thank you once again.
One obvious thing you can do to help you think which machine you are on (your native machine or the VM) is to change the appearance of the VM from your native one -- change the fonts it uses for display, some of the colors, things like that, so it looks radically different from your "normal" machine. Your brain will learn to key in on this info automatically, so it won't attempt to let you do something "in the wrong place".
Edit: Microsoft has changed the Azure portal and other things so much this lab is going to be difficult to follow. I will remake this video later, but a full up-to-date version of this is included on my cyber course below:
joshmadakor.tech/cyber
I dont know how but my event count on map is decreasing.. how to solve this??
Will be waiting for that....
Heyy Josh, Thanks for this tutorial. I have almost managed to get everything right but just now got stuck on extracting values from RawData. I can't simply find any options or buttons for that on the panel. If you have the solution please let me know. Thanks again, looking forward to hearing back from you :)
@@navidniknezhad9379 its a reccurring issue. we have a solution that somebody else told me. Will be posting it soon with credits.
@@homeland_fitness8431 did you resolve it ?
For anyone else having issues finding the Security Center, it's been renamed Microsoft Defender for the Cloud, and Pricing and Settings are now Environment Settings.
Thanks so much for this
@@JoshMadakor Thank you so much for making these labs!
not to be dramatic but you just saved my life
THANK YOU
I appreciate this so much lol
For anyone who is having trouble with the creating the custom log, azure has updated their selection panes for Log Analytics, tou can create custom logs by selecting Tables > Create> New Custom Log ( MMA-Based).
Thank you!
Thanks!
You my friend, stay happy!
Nearly gave up the search, thank you Sir
I should have read the comments section before going nuts, thanks for the info this will be helpful for everyone who is halfway this project
Its crazy that these labs don't seem to do as well on your channel but they're arguably the most valuable information on here. Your active directory lab, Security+, and your resume tips got me a job. Keep up the great content!
Lol, I complain to this about my friends all the time. "Nobody cares about my videos that are actually good 😡" lmao 😂. I just try to balance them though. And super glad to hear about your job. Great work!! And thanks for watching :)
@@JoshMadakor This is crazy that people don't watch this video more than the others. I'm in it for the deep dive into the nitty gritty like this. This stuff is WAY valuable info. I wonder if most people are just too lazy so they skip past videos like these. You know what they say.. It's lonely at the top. When you do high quality videos such as this the top high quality viewers watch it while the 'lesser sages' skip it. haha
I guarantee if you went and got into a fight at Walmart -- 1 million views in 24 hours. Great stuff! #Wegottadobetter
@@roadtoexoneration3960 hahahahah you said it alright ...😂😂😂😂😂😂
@joshmadakor, this stuff is absolute gold! Thanks SOOOO much for sharing this. I wish I'd have had you as an instructor when I was getting my cybersecurity degrees at Edmonds; It sounds like I missed your time there by just a few quarters.
This was my very first cybersecurity project. Creating the honeypot and seeing the live attacks was so exciting and helpful, as I am in the beginning stages of this journey. Thank you so much!
Great job!
Josh has taught me more about SIEM in 53 minutes than any prof I've had in college
need to allow pings through via defender
This video helped me land a job as a Security Analyst. It really impressed them. I appreciate your channel and all you do. I'll be looking out for your other Tutorials for sure.
That is beautiful, super congratulations!!! Thank you for sharing. I wish I could have seen what your attack map looked like. Everyone's is different and it's so interesting to me :>
Again, huge congrats!
Hi Ronny firstly congrats on your job , how did you express this project to your interviewer, did you make any documentation of this project and added it to your resume?
@@vijaykishorea3987 I waited until they asked me a relevant question, and when they did I used that as a chance to bring it up. I believe the question was "What do you do at home to improve your skillset?" Or something like that. I pulled up the map of the countries that have already tried to get into my honeypot and mentioned what it is and how I did it. Giving credit to Josh, of course.
For anyone else that was having trouble getting the "Store additional raw data - Windows security events" part to work like it does in the video (since the update), go to 'Microsoft Defender for Cloud', select the specific resource under your subscription, in my case 'law-honeypot', 'Enable all Microsoft Defender for Cloud Plans', uncheck 'SQL servers on machines' like Josh did, click Save, go to 'Data Collection' on the left side, select 'All Events', click Save and you should be good to go now. It took me a minute to figure this out, hope this helps someone else!
⭐️⭐️⭐️ UPDATE TO INSTRUCTIONS ⭐️⭐️⭐️
*Microsoft Azure changed the GUI for the portal! See below for Instructions!*
8:38 - When you go to enable Security Center, this is now called "Microsoft Defender for Cloud"
9:07 - For the Data Collection from VMs to the Log Analytics Workspace, this is now done in a different area under "Microsoft Defender for Cloud". See here for complete instructions: docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-
Thanks for the amazon video for some reason i cant find the auto provision on the defender cloud menu.
found it
@@victormaymt4830 Where did you find it? Having trouble locating it
Thanks Josh I was stuck.
I dont see the raw data column on my end.
Just finished entire video. Excellent content and delivery. Appreciate the tech deep dive and the best practice too from grc perspective on mfa for all and not using default username/pass. Cheers
Hey man! Honored to see you here. I actually discovered DSU CyberOps PhD through your channel. After watching your videos, I actually got my Masters in Cyber and BS in Computer science for the sole purpose of being able to apply to that program....then I started doing UA-cam more seriously haha. I don't know what I'll do in the future, but your videos impacted me, so thank you :)
I know these labs probably don't get you the most views like other videos, but this stuff is very valuable. Thanks!
Lol thanks so much, and yeah. It's really funny and something I complain a lot about to my friends. "nobody likes my videos that are actually good." 😭🤣🤣
This is insanely valuable. I'm a year and 2 months in, and I haven't touched the SIEM yet
@@mgray999 I noticed it's really hard to get SIEM experience without already having it. Luckily we can now setup our own cloud SIEM and throw a bunch of dangerous VMs out on the internet to be attacked :D, hahaha
@@JoshMadakor I'm so excited to mess around with this on Wednesday. I love the thought of looking at an active attack
@@JoshMadakor it is amazing Josh, very helpful. Thank you
For those that need to find "custom log" tab , it is now "Tables" and then click create sample log!
Thank you. How did you extract the fields after that?
@@nappy203 custom logs as a setting in Log Analytics workspaces
go to the Log Analytics workspace that you want to add the custom logs to.
In the left navigation pane, select Tables.
In the Tables blade, select New custom log (MMA-based).
In the New custom log blade, enter the following information:
Log name: The name of the custom log.
Description: A description of the custom log.
Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources.
Query: The query that will be used to extract data from the custom log.
Select Create.
Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.
@@ElTerceroCharlesi cant seems to enable the ability in security center cos the log analystic can't be found. can you help. thanks
@@ElTerceroCharles thank u. I'm not sure I understood all of that but I appreciate it nonetheless.
I mmi would think ssh would be a more compelling Honeypot than RDP. But, what do I know.
Actually good non-clickbait and career-oriented content. Pure gold channel
I'm seriously honored to receive this comment, lol. Thank you :)
Thank you Mr. Madakor. Having this on the resume really impressed my interviewers and I was able to finally land a job in the field. I greatly appreciate you for sharing this walk-through.
can you please tell me how you added it to your resume ?
how did u apply
As soon as I ran the script I was getting bombarded with login attempts from China, Russia, Belize, and more. Super interesting. Thanks Josh, I'm really excited to add this to my portfolio.
Thanks for sharing! ^^
I am out of words to thank you! Im almost done with my cybersecurity bootcamp and this video is PRICELESS!!! if I find a SOC analyst job, its going to be because of you!! thank you sooooo much!!!!
how is it going with the job search?
At 21:44 for those who can't find custom logs under settings tabs >> Go to Tables >> Create >> New Custom log (MMA - Based)
thanks for this 👍
How to extract custom fields?
did you know how? im stuck@@williamthomas3233
the code to extract:| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| project username, timestamp, latitude, longitude, sourcehost, state, label, destination, country
For anyone having issues launching the VM using Azure:
I live on the East Coast, so naturally I was basing my VM out of the auto-selected East Coast server. I could never create the VM, it was just perpetually loading. I talked to support and they said that they're having capacity issues in the US East Coast specifically.
I changed it to an Australian server and it worked just fine.
Ty for posting this :)
If only I had gone to the comments before spending 30 minutes just trying to re-do everything in another browser...
1 month later and same issues on East Coast server (for anyone else trying this)
Can confirm Azure is still having the same issues on the East Coast.
im think youre the only creator i came accross that aint gate keeping informations like this. I appreciate what youre doing. you have my support good sir!
Thanks so much! I really appreciate that
Just popped in my feed. Great video and look fwd to checking out your other vids. I make similar content on UA-cam and will be “borrowing” the idea of throwing up the resume bullet the person gets after executing the lab. Brilliant idea!
Thank you and for sure! I _borrow_ stuff all the time 😎
When setting up the labels and extracting the raw data I had to do it in Microsoft Sentinel, then to custom logs. I would run the failed_rdp query and then would be able to check mark on the left of all the data. from there i would right click and it would let me extract and there I could do the custom fields! I hope this helps
What an amazing lab. This blew my mind as I started to get people trying to log in within 10 minutes of running the powershell code! Thank you so much!
That sure helped me
I tried doing this in Sentinel and it didn't work... I'm right clicking and there's no extract fields.
mine is not lettingg me extract the data any tips
@@HinksmnBro im not getting any traffic any help??
@@HinksmnAlso im not able to find RawData column which shows the latitude and longitude
Thank you so much for this Lab Josh, it was a pleasure to follow through with you, and I have learned a lot.
A quick note for anyone who made the mistake I did. When its time to create the custom log at minute 25:00 I made the mistake of having two lines of code so it was
1 FAILED_RDP_WITH_GEO_CL
2 |
this will give you an error code so delete line 2 and it should run perfectly, took me over an hour to figure out why I kept getting the error. I Also re-ran the powershell script just in case.
Thank you, this was my problem too
I wish that was my problem. For some reason I keep getting no results found from that last [whatever time frame I choose]
Thank you for sharing. Just had this issue.
@@DrZona19 where you able to fix this?
@@ty6512 have you figured it out? lmao
Hey Josh -- I'm trying to break into cyber security (just passed my Security+!) and your videos have been a HUGE help. Thank you for all you do!
This video in particular made for a really fun and rewarding project -- I put my SIEM together today following your instructions and it's awesome seeing it all come together.
Thanks again, and stay well!
Hey Kenny, glad you liked the lab and the content! Appreciate you
Is it still possible to do it for free? I'm being told I need to upgrade to Security Center-Standard
Did you get a job yet? I just passed my security + as well.
@@dummyahh8470 I'm currently working IT helpdesk at an MSP but am working my way into Cyber Security specifically. Gotta start somewhere! Congrats on your Sec+!
26:20 Azure does not have the three dots with an action option anymore. Instead, just right-click on the log you want and there's an extract fields option.
Thanks so much for commenting this!
Hi Austin,
did you see the data displayed? I am stuck in that part because right-click on the log, the window opens but nothing appears? Can someone guide me? @josh?
Thanks
@@belaq1336 hey same here as well. that is where i am stuck
I spoke too soon, theres no extract fields option when i right-click on the record :/ any help would be much appreciated!
@@danpetak1359 Im stuck here as well :( and the legacy docs dont help. :|
Just finished the lab and really enjoyed it. I’d say it took about 3-4 hours including some troubleshooting as things have changed since the video was made. Hopefully to save people time Azure Defender is now Microsoft Defender. I enabled Foundation CSPM and Servers which then allowed me to enable ALL ENTRIES Data Collection. Custom Logs is now called Tables and you will want to Create New and use MMA-Based. Lastly I started to get a “Invoke-WebRequest : The remote server returned an error: (429) Too Many Request.” in my Powershell output. I assume this means I went over my 1000 queries. I stopped the script and will enable again tomorrow to see if it works. Overall great lab, just a few things have moved or changed since 2021! Thank you Josh!
@zacharywilliams6632 How long did it take for your logs to come in and start reading in custom logs page? This is the step at 25:00
How the heck did you get the extract fields to work at 26:20? From my reading, it seems like it's deprecated.
@@eddiegomez376 I don't remember exactly, but maybe 10-15 minutes. Double check you included the .log append (and not .txt or something).
@@claytonreardon42069 I didn't end up extracting the data myself, but copied the template from the top pinned comment.
@@Z-life-online I will attempt again later I waited 2 hours and nothing going to have to start from the beginning. Thanks though i appreciate any help :).
Josh, you are amazing man... im realizing how much initiative and knowledge it takes to bless the field like this, walking us through important maps of the CyberSecurity and IT field so casually and comprehensively truly an inspiration.
I am gonna work on this project today before I apply for any more jobs and I'll keep you posted! Thank you for the videos! Seems VERY valuable information and it is exactly what's missing on my resume-actual hands-on projects. I can't thank you enough!
Hi there. Were u able to finish this? I got stuck in the middle and I wasn't able to finish.
@@nappy203 yes I was able to finish it
@@nappy203 Hey, I also got stuck when extracting the logs-> Custom fields part. The 3 dots to extract are no longer there as MS azure is updated. Do you perhaps know where I can find it?
@@oagengmabiletsa281 I posted here what I did with links but the comments got deleted. So I don’t know how to help you. I made a channel “Cyber blogpost” on UA-cam. I posted the video there. It’s only one.
WOW!! This is a goal mine!! Awesome job, I just set mine up took about 2-3 hours but its up and running! Great skill to learn. Looking forward doing your other labs!! Thank you!
Hey Toukee! Glad you liked the lab! 2-3 hours is quite fast for this actually. it takes a while to get stuff working and then can take some time before the bad guys notice it and start attacking haha. Thanks for commenting :)
Just completed this lab - set it up 3 days ago, got caught up and didn't get to finish till today. Had an absolute unit from the Netherlands log over 14k logon attempts. Next up is to configure a lockout policy lol. Incredible lab and a lot of the comments in here helped me navigate the changes. Can't say thank you enough, Josh!
did you figure out the "extract fields" part @ 26:20?
am three also bro any help
@@weavingthevaluess
that's what I'm stuck on as well@@weavingthevaluess
how did you "extract fields"?
How did you use your keygen ,keypair, to connect to your VM in microsoft remote connection?
Thank you so much Josh Madakor for this video, i was able to set mine in space of two hours. I will definitely use it on my resume.
Oh you got it working? super! And good luck with it. I know a few people used this with success :)
For anyone having trouble with the data extraction and map, plot paste this script in your workbook (where you plot the map) :
FAILED_RDP_WITH_GEO_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
This is just a combination of @MIAMIHACKER and Josh Madakor's queries so shout out to the both of you!
Thank you for posting this!
Small modification to the last line to display the query like seen in the data extraction part:
| summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude
So does this basically mean why bypass the whole step he did for extracting data right? just wanna make sure im doing this right? Thanks btw
@@dummyahh8470 Yes where you would enter the query (35:40 for reference) you would enter the script above instead of just the “FAILED_RDP_WITH_GEO_CL” or whatever you named your log file. This “bypasses” the whole extraction portion of the video. Keep in mind you will need to paste this same script into the map workbook when you create it.
@@TripElectronic when i run this in the workbook i get failed to extract latitude etd
etc*
Thank you Mr Josh I am now a real cyber security graduate with your videos. A million Thanks.
You weren’t lying when you said 1k API requests weren’t a lot to work with. Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM.
I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well.
Great video. Very valuable.
_>Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM._
Lmao, I'm dead, hahaha. Yeah, they will eat it up real quick.
_>I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well. _
Cool, I'll check this out sometime!
I also learned of another services that gives Geolocation from IP address. I guess you can get 25k requests for free from here, but it will require you to rework the PowerShell script a bit: ipinfo.io/
Thanks for watching and thanks for the funny/good info lol
@@JoshMadakor I cannot get any logs out using the query. It states "
No results found from the last 7 days
Try selecting another time range "
I connected the vm to the log management
Great Content Josh. Even though I am late to the party and Azure has been through multiple updates so the steps get out of wack in some instances, your community has come through like champs and I was able to finish this project. It was cool running through some roadblocks and trying to figure out how to get it to work and actually being able to implement some of the fixes provided. Hell of a first project.
Took me close to 5 hours but its up and running. Looking forward to more projects.
@Josh Madakor Thank you immensely for offering this incredible hands-on lab experience. I've learned the entire setup cycle from the basics in the simplest way possible. Hats off to you, and I'm eagerly looking forward to continuing my learning journey with you.
Hi Josh, thanks for doing this. I'm so excited to try this now. I am just transitioning into this cybersecurity space with no previous IT experience and I must say your videos have been really helpful.
Hey Margaret! Thanks for watching! It was a lot of fun to make honestly, hope you have fun with it! I'm glad the content has been helpful :)
Hi margaret did you finish this project?
I highly recommend this for every Microsoft Shop. this can land you a job fairly quickly easy.
Hey! It's funny, I've actually had a couple people tell me they talked about this lab in their interview and then they subsequently got hired, haha. I'm sure they brought other stuff to the table, but it's nice to see!
@@JoshMadakor I doubt it - you can’t just get the job like that. You got to have hands on skills unless they got hired for monitoring Sentinel-
Sentinel is one one of the easiest way to learn any SIEM specifically if you are running M365 services. This where you get to do the Engineering work
First of all, thank you so much for this video Josh Madakor. I started to study IT for almost a year now and I know nothing before, Cloud compute still a strange thing for me but this lab was so amazing experience.
2nd for those who confuse about how to extract Rawdata to split table in Log Analytic, you can input:
failed_rdp_withGEO_CL #as in video
| extend CSVFields = split(RawData, ',') #this line use to split output after comma into seperate value with "" and create new column
| extend timestamp_CF = todatetime(CSVFields[8]) #choose value 9th in " "
| extend label_CF = tostring(CSVFields[7])
| extend country_CF = tostring(CSVFields[6])
| extend state_CF = tostring(CSVFields[5])
| extend source_CF = tostring(CSVFields[4])
| extend user_CF = tostring(CSVFields[3])
| extend dest_CF = tostring(CSVFields[2])
| extend longitude_CF = tostring(CSVFields[1])
| extend latitude_CF = tostring(CSVFields[0])
| summarize event_count=count() by source_CF, tostring(latitude_CF), tostring(longitude_CF), country_CF, label_CF, dest_CF
then go to Josh's script and delete other before ':' such as timestamp: or source: .The purpose is to show only data we want without explaination and ':' before value. You can find this line near the end of script
It will show clear table with clear data and then continue with Azure Sentinel as video. Thank you
im having a bit of trouble with this. line 2 and 3 is a little confusing.What should I put after rawdata ? and what is value 9th in " " ?
@@Tosaaa same, I am still trying to figure out how this is even relevant
Fuck microsoft till my grave, making things needlessly difficult
It's helped to resolved the error I got. Thank you.
I'm glad I found this channel. The explanations are very straight forward and clear.
I just finished this lab and it was very detailed and easy to follow. I got everything set up except for one issue:
When copying and pasting the Sentinel Map Query as is, it would say the query had no output. I had to delete this line "| where sourcehost_CF != "" " and then I was able to continue along and finish it all up.
Shoot, thanks so much for bringing that up. I'm def going to remake this lab at some point and release it on youtube :P
Thanks, fixed my hours long search for the answer to this problem!
@@lesandjackonwriting hello can you please help me to solve it at the end in field extraction.
I just finished this video!! I can't Thank you enough!!! Thanks for sharing a such valuable information... You are helping and inspiring new cybersecurity students to get the experience we need! THANNK YOU!!!
Thanks so much!
PEOPLE IN 2024:
Microsoft has CHANGED MANY FEATURES in Azure that are used in this video. For the query, ignore the part about extracting to custom fields and instead put in this KQL:
FAILED_LOG_GEO_LC_CL
|extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
|where destination != "samplehost"
|where sourcehost != ""
|summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude
medium.com/@michaellopezcs17/how-to-create-a-siem-microsoft-sentinel-2024-46ab6c7cfb8c
where can i find the KQL?
nvm i got it, thanks man!
Thanks so much man!!
yeah it works thanks alot
Please I need your help. How do I put this in KQL
This was super interesting, im working on a research assignment for SIEMs and now I really want to try this lab! All your videos have been really informative and interesting thank you!
Azure portal just loves being difficult. I have to use it at work so I thought this would be a quick lab (since I'm familiar) but NOPE. Thanks for the labs as always, Josh!
Hey again William! Haha sorry about that. I know...they change it so often. Maybe the next Azure lab I will do everything with raw rest API requests so it changes less lmao 😂
Thank you Josh, for your invaluable assistance! I'm delighted to inform you that I've successfully completed this project and have incorporated it into my resume. The experience garnered from this endeavor has been immensely enriching and educational, contributing significantly to my professional growth. I am deeply grateful for your guidance and support throughout this process. Once again, thank you for the invaluable learning opportunity. ☺
custom logs as a setting in Log Analytics workspaces
go to the Log Analytics workspace that you want to add the custom logs to.
In the left navigation pane, select Tables.
In the Tables blade, select New custom log (MMA-based).
In the New custom log blade, enter the following information:
Log name: The name of the custom log.
Description: A description of the custom log.
Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources.
Query: The query that will be used to extract data from the custom log.
Select Create.
Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.
so, excuse my ignorance, but how did you extract the fields after that?
MMA-based doesn't work like that any longer. Now, after I select MMA-based, it asks me to upload a sample of the custom log. Any idea how to get around that???
@@ramirras Upload that sample log file on your host machine first
Did you find that?
@@nappy203
You're the real MVP... I was stuck googling and chatgpt-ing how to work around this. Thanks!
Phewwwww, I managed to get get the lab done. I just finished the lab and have to leave it running and come back tomorrow as I already hit my 1000 limit with the ipgeolocation. Josh, thanks a lot.
How did you manage to extract the Rawdata can you share??
Josh pinned the comment for the Security Center/Data Collection, but here's full instructions so y'all don't have to suffer like I did.
> Watch Josh's awesome video until 8:38 (VM and LAW are set up) and then go to "Microsoft Defender for Cloud"
> Find and click on "Environment Settings" in lefthand toolbar
> Find and click on the dropdown arrow immediately next to your Azure subscription to reveal the NAME of your workspace (this is a critical detail that cost me a lot of time and pain, also bear in mind everything has to be deployed in order for this step to work)
> Click on the workspace name to open its settings
> In settings, disable "SQL servers on machines"
> In settings, enable "Servers"
> click the save button in the top left next to the search bar
> click on "Data Collection" in the lefthand toolbar
> Select "All Events" and save by clicking on the "Save" button
> jump back to Josh's awesome video and connect the VM to your LAW
> ...
> profit
ALSO bear in mind that there is regional weirdness with Sentinel. For whatever reason, I could not add Sentinel to a US West 3 workspace even though the documentation said it Sentinel was "non-regional"...anyway, I used US East and it worked like a charm.
Good luck lads and lasses, and thanks again Josh for the amazing content! :)
Also, at 26:24 you have to right click directly on the log entry to extract the fields - it looks like that little three-dot field has been removed.
I pinned this. Seriously thank you for taking the time.
I wish i could super-thank this lmao
@@JoshMadakor if we're being #real though, I was writing this all down because I am gonna turn it into a blog/LinkedIn post, so happy to re-post it here and someone else from banging their head against the documentation / Azure interface like I did lmao.
It took
It’s not giving me an option for US East. The only us option I’m seeing is US West 3
Josh I really want to thank you for making these videos. They're easy to follow and seriously helping me beef up my resume. Keep it up!
can you provide the updated steps please ?
@JoshMadakor The option to extract data and create custom fields has been removed by Microsoft and replaced with "Data Collection Transformations", rendering this project extremely difficult to continue with if one is not familiar with Microsoft Azure.
If you can somehow update this video, I think that would be a huge help!
Thank you for all of your hard work!
Where would I find the "Data Collection Transformation" option in order to extract data and collect custom fields? Appreciate you for commenting.
and now data collection cannot be stored in Defender for cloud - free you'd need to upgrade to be able to carry on with this project
You’re the best Josh. These videos have really helped me in my WGU journey. Six months ago I left healthcare and got my first tech support job, and now I’m transitioning to another one with even more pay and a better commute.
I still haven’t cracked into cyber security yet, but I’m networking with my security analyst and SOC analyst friends to make inroads. These labs will certainly make my resume standout too!
Hey, maybe when I get my first info sec job by this time next year you can interview me too! Only half kidding about that 😂
Hey Josh, great tutorial but it seems hard to cintue after 23.:30 as azure seems to have changed. There is no location in the Security Event Display for me to view the raw data containing Longitude and Latitude and finish the project
Man I love the labs that you put out! Super helpful especially for us trying to break into the industry
your channel is GOLDEN josh.... Im really glad you started youtube and was lucky to have found you bro!!!!!!
Aw, thank you so much. I'm really glad you are enjoying the content and it's helpful. Really appreciate you watching and taking your time to comment!
ive been looking into setting up sentinel lol i think itll be a major player one day seeing as alot of environments use O365 and Azure
Yeah for sure, and the fact than you can literally spin up a pay-as-you-go SIEM in like 1 minute. Seems absolutely great! I want to explore it more myself :)
Great video! I just finished this project last night and it was a fun awesome experience. You did a great job instructing us through and explaining each step. I’m going to make write my first blog post, thank you for all you do and your videos!
Heck yeah, good job setting it up. This was one of my favorite ones so I'm glad you liked it. GL with the blog post. I'm uploaded a video (not yet live) where I go over sample resume and a sample blog that includes this lab. Feel free to check it out ahead of time :)
ua-cam.com/video/Y_AyHBtQ-U8/v-deo.html
@@JoshMadakor definitely watching that video rn, it implies directly to me also, thank you!
Hello could you help me please I can’t seem to get the custom logs to have the query and run panel at the top ?
This was a very interesting sim. I will remember to recommend it to those looking to get into cyber security. Are there other projects that you can create for experience?
Hey man! Yeah, I'm going to make a few more, but right now I have a playlist with a few technical demos! Check it out: ua-cam.com/play/PLqBeiU46hx1H--SNfTrohTOWeqkK-M2Y0.html
Further to my comment below a couple minutes ago, During the first try of setting up custom log, I was able to ingest the logs in log analytics. I could see the output to the query "Failed_RDP_Log_Geo_CL" but then trying to extract the fields from it never worked. So, I tried creating the new custom log (DCR-based) but this was way too difficult for me.... Anyhoo, appreciate all the help you have been providing. Cheers Josh
@joshMadakor Microsoft has changed the Custom fields option , so right clicking on the result from a query does not show the extract fields option, any ideas to extract the raw data columns to get longitude , latitude etc would be appreciated
You can use KQL Regex. I would ask chatgpt to make a KQL regex to extract the latitude and longitude, then you can use that KQL query it generates. I know this answer is kinda wishywashy, but it's the best way that comes to mind :)
@@JoshMadakor
yup this worked, the script below should be able to parse the data and create the columns.
FailedRDP_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| project username, timestamp, latitude, longitude, sourcehost, state, label, destination, country
@@MIAMIHACKER thank you KQL commands. Worked like a charm. Curious to know if you saw event_count while setting up the Map also?
@@belloabdulmuizz9156 nope, still working on setting up the map.
@@MIAMIHACKER Does this change what query I run in the workbook? The one Josh provided isnt working
Glad I stumbled across this! I work in the Microsoft space (MSFT partner) and we're slowing moving away from just a UC shop to encompass the entire M365 suite (and eventually Azure security), so this is extremely helpful! Hope you continue to do more content like this!
Hey! I'm glad you like the content. I'm sure I will do more like this in the future. I really enjoy SIEM/live stuff. Seeing people try to break into my stuff is really hilarious lol
The three dots next to the logs aren't there anymore and you don't have to expand the field just right click the title of log to extract
Thanks for pointing that out.
First Cybersec project I've done and wow how intersting was that. Thank you so much for the video Josh, hope to see more from you in the future, much appriciated.
Hello Josh, thank you so much for taking the time to make videos like these. I plan to do a few of your projects to beef up my resume.
But when doing this one, I keep getitng the error saying that I can't connect to the VM with an RDP. I've run all the necessary tests and it should be up and running, but something is keeping me from connecting. I have even tried it with my firewall completely turned off and still nothing.
Getting error code 0x204. I even bought Pro just for this and it still isn't working :/
Did you manage to fix this??
I'm having the same issue.
Dump question but how do we make sure that nobody actually get to log on into the machine by brute forcing the password/exploiting other weaknesses ?
It's not a dumb question at all! There are a couple options:
1) Using 2-factor-authentication somehow (windows hello, etc)
2) Using a password lockout policy that will lock the account after x-failed attempts
3) Using a really strong password helps.
And remember, there is always a way in if the attacker has enough time and money :)
Thanks for the excellent video man. I had some trouble with setting up Azure Defender as the process you explained changed literally in the short timeframe in which you uploaded this video. I stayed with it thou and eventually found the section to enable it for my test vm and was able to follow all of the other steps with no problems. Currently studying the SSCP and just listened to a DarkNet diary per your recommendation in another one of your videos. So glad YT recommended you man, keep doing your thing.
Ah yeah, omg defender seriously changed right when I released this. I knew that would happen. I'll have to research it and pin a comment or something lol 😩. Glad you did the lab! Hope it was fun! . Glad you found the channel! Thanks for watching and best of luck :) (Darknet is so dope, haha)
Hey @MackXXI, where’d you find it? I can’t get to security center… I’m stuck!
@@Kevin-zy5jm so I kind if stumbled upon after going through different sections of the azure portal. It’s on the bottom of the page of either Azure Sentinel or Log Analytics workspaces if I recall correctly. Sorry, I should have better documented what I did since things changed up.
Man these labs really need attention from the cybersecurity audience.
I can only hope! lol
Appreciate the video. Great and clear information. Really enjoyed getting some exposure to Azure Sentinel as well as a data from active attacks.
Hehe thank you, glad you enjoyed that
Hey Josh. When creating the custom log, the Log Analytics Workspace keeps throwing the error, "Query could not be parsed at '' on line [3,0] Token: Line: 3 Position: 0"
when I try to run the custom log. It throws the same error for all commands including the Security event. Any ideas?
Edit: I had to run the logs from Sentinel and not the LAW. Talked to the support team and it was a weird bug. Everything else went great. Thanks so much for the help. I am going to school in the fall for cybersecurity at a local college. You have inspired me! Looking forward to the next video!
Hi Noah, I am currently facing this problem and I tried running the logs from Sentinel and returns the same error message.
@@danielopara1006 did you get it fixed? Im having problems with same error but in LAW and sentinel. if you got it fixed, can you share the solution here? thanks
@@okuneyevictor6426 same here
hey guys, you have to delete the lines below the first line. Only the first line in your query should be showing. He mumbles something about it if you watch that part again.
Thank you so much for this video. I cannot stress enough how much you have done for my professionalism and resume. You are the man!!!
How the hell do we 'extract fields' ??? I'm stuck smh
Sorry, Microsoft deprecated this :(
@@JoshMadakor 😢
@@JoshMadakor Is there an alternative ?
Half way through and it's a great tutorial. I tried geolocating my IP address on the website you recommended and it said Birmingham UK when I live in London UK. There are other websites that came within a couple miles though!
Great content. Thanks again for this tutorial with this parctice lab. This was a well worth 52:44 time.
Great video, thank you for helping me fill some experience on my resume!
Bro this is so much fun, I've got two from Iran a few hundred from the netherlands and even a few from my own country UK :) this was a really great video thank you
Great video Josh! This was a lot of fun to set up. Love how well you explain everything
Hey Anthony, glad you liked it!! And thank you :). I will expand on this lab some time in the future :p
Thank you josh!
I just got stuck in a session that I could not see the 3 dots (26:20) in my interface, so I failed to extract field from the custom log . Can anyone give me some advice please?
I did this on my home lab and I'm curious to do more tweaking on sentinel. Keep up the good work and thanks for sharing this valuable content. It helps security professionals and cloud engineers to break into job market or learn a new tech. You're the best.
Thanks so much for the kind words! really appreciate it. I will def develop some more content like this in the future :)
Pretty nice, thanks for sharing, I am not a cybersecurity, but l would love to try this. This is vey cool.
Thank you Josh , Took me an entire day getting this done , but hats off to you . Amazing content , will definitely be getting this on my Cv .
Oh now I don’t feel bad lol about taking forever I’m so lost
Hey man. I'd really appreciate it if you could tell me how you extracted the fields from the custom logs. I've been stuck on this since yesterday.
@@nappy203 yea me too
Thank You, for making this. Great exposure to azure and its capabilities. Just finished this Project - Cant Wait to add it on the resume.
Watch your Spelling people! I had an Azure Sentinel query error- only because I called the LAW query a different name!
I did re train - country 2x - as I Found Belize & Taiwan messing up the posted query Results.
Thanks Josh, this helped to understand how we can track cyber attacks.
For sure!!! Ty for watching :) (also Ty for taking the time to comment!)
Thank you so much, Josh for this content. This was a very awesome lab to follow along to. Happy New Year!
Thank you for all you do Josh!
You are amazing!
Thanks for this lab Josh!!! We need more hands on tutorials like this on UA-cam, for those who are transferring into the field. I'm 90% done and ran into the "summarize' operator:" error. I found no answers that worked, but I've learned so much already. I'm still going to put this on my resume. I just shut down the machine as I saw a success Brute Force attack. This was a very interesting experience, thanks again!
can you please tell me how you added it to your resume ?
@@Dxhard Sample resumes with these projects are in the description of this video.
I just used some of the concepts and added the learning experience I had during the project.
I just ran into the same issue. Turns out, I hadn't extracted destinationhost_CF. Once I went back to the analytics and added that extraction field, ran it again in sentinel everything ran smoothly!
This was really awesome to do and gain experience with, I may be able to implement this with my new position since we're cloud based anyway. But at least knowing how to do this is incredibly valuable, thanks so much Josh!
Glad you liked the lab? Ty for watching!!
Josh Kudos for your efforts.. this is brilliant..
Thanks so much!! I hope to do another, more updated lab like this!
Great video man, was really fun following along you this. Invaluable stuff, thank you very much
Hey! Glad you enjoyed the lab. This was probably my favorite video to make. Love watching people try to break into stuff, it's hilarious lol
Thanks!
No problem!
Hey everyone, I know I'm a bit late to the party on this project, but I just finished it up today (12/15/2023)! Due to some recent changes in the Microsoft Azure portal, the setup process is slightly different now compared to what you might have seen earlier this year. However, the overall steps are still quite similar. Big thanks to @Josh Madakor for this awesome lesson - I learned a ton!
Hi, how many hours did it take you? Asking to see if I can get the project done using the free credit from Azure.
hey man how did you do the 'Extract Fields' part at 16:20? cant seem to find how to create new fields 😭
2 minutes into this video and its awesome!
waiting for new videos Josh!
Thankyou!!
Love these videos! Thank you! Great way to addy his to my list of projects. Unfortunately my company does not have sentinel in our subscription plan and this will be some great experience down the line. Thank you
No problem! Glad you liked it! If you wanna play with it, I would just make a free sub, just make sure to clean it up afterwards so MS doesn't take all of your coins lol.
Just finished this lab! THX you so much. I am going to put this on my resume. I definitely think this will help since i just got my sec+
Gonna try this out today ! I just spun up two VMs yesterday
Cool! Good luck with it! I know the Azure Portal has changed a bit since I made this video, but there are some comments talking about how to navigate it
I watched the video and I'm gonna tackle the lab soon. Very cool!
Thank you so much for this!! You kept it so simple and straight forward.
Thank you so much for this training video. I have learned a lot just by watching your tutorial, I am going to create this lab after I watch your tutorial. Thank you once again.
Bro awesome content keep making impressions you are helping lots of people
this channel has been a god send for me!
One obvious thing you can do to help you think which machine you are on (your native machine or the VM) is to change the appearance of the VM from your native one -- change the fonts it uses for display, some of the colors, things like that, so it looks radically different from your "normal" machine. Your brain will learn to key in on this info automatically, so it won't attempt to let you do something "in the wrong place".