Edit: Microsoft has changed the Azure portal and other things so much this lab is going to be difficult to follow. I will remake this video later, but a full up-to-date version of this is included on my cyber course below: joshmadakor.tech/cyber

For anyone else having issues finding the Security Center, it's been renamed Microsoft Defender for the Cloud, and Pricing and Settings are now Environment Settings.

Its crazy that these labs don't seem to do as well on your channel but they're arguably the most valuable information on here. Your active directory lab, Security+, and your resume tips got me a job. Keep up the great content!

For anyone who is having trouble with the creating the custom log, azure has updated their selection panes for Log Analytics, tou can create custom logs by selecting Tables > Create> New Custom Log ( MMA-Based).

This was my very first cybersecurity project. Creating the honeypot and seeing the live attacks was so exciting and helpful, as I am in the beginning stages of this journey. Thank you so much!

Josh has taught me more about SIEM in 53 minutes than any prof I've had in college

This video helped me land a job as a Security Analyst. It really impressed them. I appreciate your channel and all you do. I'll be looking out for your other Tutorials for sure.

⭐️⭐️⭐️ UPDATE TO INSTRUCTIONS ⭐️⭐️⭐️ *Microsoft Azure changed the GUI for the portal! See below for Instructions!* 8:38 - When you go to enable Security Center, this is now called "Microsoft Defender for Cloud" 9:07 - For the Data Collection from VMs to the Log Analytics Workspace, this is now done in a different area under "Microsoft Defender for Cloud". See here for complete instructions: docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-

For anyone else that was having trouble getting the "Store additional raw data - Windows security events" part to work like it does in the video (since the update), go to 'Microsoft Defender for Cloud', select the specific resource under your subscription, in my case 'law-honeypot', 'Enable all Microsoft Defender for Cloud Plans', uncheck 'SQL servers on machines' like Josh did, click Save, go to 'Data Collection' on the left side, select 'All Events', click Save and you should be good to go now. It took me a minute to figure this out, hope this helps someone else!

For those that need to find "custom log" tab , it is now "Tables" and then click create sample log!

Actually good non-clickbait and career-oriented content. Pure gold channel

I know these labs probably don't get you the most views like other videos, but this stuff is very valuable. Thanks!

Just finished entire video. Excellent content and delivery. Appreciate the tech deep dive and the best practice too from grc perspective on mfa for all and not using default username/pass. Cheers

Thank you Mr. Madakor. Having this on the resume really impressed my interviewers and I was able to finally land a job in the field. I greatly appreciate you for sharing this walk-through.

As soon as I ran the script I was getting bombarded with login attempts from China, Russia, Belize, and more. Super interesting. Thanks Josh, I'm really excited to add this to my portfolio.

I am out of words to thank you! Im almost done with my cybersecurity bootcamp and this video is PRICELESS!!! if I find a SOC analyst job, its going to be because of you!! thank you sooooo much!!!!

At 21:44 for those who can't find custom logs under settings tabs >> Go to Tables >> Create >> New Custom log (MMA - Based)

For anyone having issues launching the VM using Azure: I live on the East Coast, so naturally I was basing my VM out of the auto-selected East Coast server. I could never create the VM, it was just perpetually loading. I talked to support and they said that they're having capacity issues in the US East Coast specifically. I changed it to an Australian server and it worked just fine.

26:20 Azure does not have the three dots with an action option anymore. Instead, just right-click on the log you want and there's an extract fields option.

You weren’t lying when you said 1k API requests weren’t a lot to work with. Woke up this morning to the API tapped out because some Chad in Ukraine tried to brute force the VM. I also installed sysmon on the VM. So I’m working on getting those events imported to sentinel as well. Great video. Very valuable.

Josh, you are amazing man... im realizing how much initiative and knowledge it takes to bless the field like this, walking us through important maps of the CyberSecurity and IT field so casually and comprehensively truly an inspiration.

For anyone having trouble with the data extraction and map, plot paste this script in your workbook (where you plot the map) : FAILED_RDP_WITH_GEO_CL | extend username = extract(@"username:([^,]+)", 1, RawData), timestamp = extract(@"timestamp:([^,]+)", 1, RawData), latitude = extract(@"latitude:([^,]+)", 1, RawData), longitude = extract(@"longitude:([^,]+)", 1, RawData), sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData), state = extract(@"state:([^,]+)", 1, RawData), label = extract(@"label:([^,]+)", 1, RawData), destination = extract(@"destinationhost:([^,]+)", 1, RawData), country = extract(@"country:([^,]+)", 1, RawData) | where destination != "samplehost" | where sourcehost != "" | summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country This is just a combination of @MIAMIHACKER and Josh Madakor's queries so shout out to the both of you!

im think youre the only creator i came accross that aint gate keeping informations like this. I appreciate what youre doing. you have my support good sir!

Hey Josh -- I'm trying to break into cyber security (just passed my Security+!) and your videos have been a HUGE help. Thank you for all you do! This video in particular made for a really fun and rewarding project -- I put my SIEM together today following your instructions and it's awesome seeing it all come together. Thanks again, and stay well!

I highly recommend this for every Microsoft Shop. this can land you a job fairly quickly easy.

Thank you so much for this Lab Josh, it was a pleasure to follow through with you, and I have learned a lot. A quick note for anyone who made the mistake I did. When its time to create the custom log at minute 25:00 I made the mistake of having two lines of code so it was 1 FAILED_RDP_WITH_GEO_CL 2 | this will give you an error code so delete line 2 and it should run perfectly, took me over an hour to figure out why I kept getting the error. I Also re-ran the powershell script just in case.

I am gonna work on this project today before I apply for any more jobs and I'll keep you posted! Thank you for the videos! Seems VERY valuable information and it is exactly what's missing on my resume-actual hands-on projects. I can't thank you enough!

Just popped in my feed. Great video and look fwd to checking out your other vids. I make similar content on KZbin and will be “borrowing” the idea of throwing up the resume bullet the person gets after executing the lab. Brilliant idea!

@Josh Madakor Thank you immensely for offering this incredible hands-on lab experience. I've learned the entire setup cycle from the basics in the simplest way possible. Hats off to you, and I'm eagerly looking forward to continuing my learning journey with you.

When setting up the labels and extracting the raw data I had to do it in Microsoft Sentinel, then to custom logs. I would run the failed_rdp query and then would be able to check mark on the left of all the data. from there i would right click and it would let me extract and there I could do the custom fields! I hope this helps What an amazing lab. This blew my mind as I started to get people trying to log in within 10 minutes of running the powershell code! Thank you so much!

Thank you Mr Josh I am now a real cyber security graduate with your videos. A million Thanks.

WOW!! This is a goal mine!! Awesome job, I just set mine up took about 2-3 hours but its up and running! Great skill to learn. Looking forward doing your other labs!! Thank you!

Thank you so much Josh Madakor for this video, i was able to set mine in space of two hours. I will definitely use it on my resume.

Great Content Josh. Even though I am late to the party and Azure has been through multiple updates so the steps get out of wack in some instances, your community has come through like champs and I was able to finish this project. It was cool running through some roadblocks and trying to figure out how to get it to work and actually being able to implement some of the fixes provided. Hell of a first project.

Just finished the lab and really enjoyed it. I’d say it took about 3-4 hours including some troubleshooting as things have changed since the video was made. Hopefully to save people time Azure Defender is now Microsoft Defender. I enabled Foundation CSPM and Servers which then allowed me to enable ALL ENTRIES Data Collection. Custom Logs is now called Tables and you will want to Create New and use MMA-Based. Lastly I started to get a “Invoke-WebRequest : The remote server returned an error: (429) Too Many Request.” in my Powershell output. I assume this means I went over my 1000 queries. I stopped the script and will enable again tomorrow to see if it works. Overall great lab, just a few things have moved or changed since 2021! Thank you Josh!

I'm glad I found this channel. The explanations are very straight forward and clear.

I just finished this lab and it was very detailed and easy to follow. I got everything set up except for one issue: When copying and pasting the Sentinel Map Query as is, it would say the query had no output. I had to delete this line "| where sourcehost_CF != "" " and then I was able to continue along and finish it all up.

Phewwwww, I managed to get get the lab done. I just finished the lab and have to leave it running and come back tomorrow as I already hit my 1000 limit with the ipgeolocation. Josh, thanks a lot.

Hi Josh, thanks for doing this. I'm so excited to try this now. I am just transitioning into this cybersecurity space with no previous IT experience and I must say your videos have been really helpful.

First Cybersec project I've done and wow how intersting was that. Thank you so much for the video Josh, hope to see more from you in the future, much appriciated.

Azure portal just loves being difficult. I have to use it at work so I thought this would be a quick lab (since I'm familiar) but NOPE. Thanks for the labs as always, Josh!

Man I love the labs that you put out! Super helpful especially for us trying to break into the industry

custom logs as a setting in Log Analytics workspaces go to the Log Analytics workspace that you want to add the custom logs to. In the left navigation pane, select Tables. In the Tables blade, select New custom log (MMA-based). In the New custom log blade, enter the following information: Log name: The name of the custom log. Description: A description of the custom log. Source: The source of the custom log. This can be a specific Azure resource, such as a virtual machine, or a generic source, such as all Azure resources. Query: The query that will be used to extract data from the custom log. Select Create. Once you have created the custom log, it will be available in the Tables blade. You can then use the Query editor to query the custom log and view the data.

Thank you Josh, for your invaluable assistance! I'm delighted to inform you that I've successfully completed this project and have incorporated it into my resume. The experience garnered from this endeavor has been immensely enriching and educational, contributing significantly to my professional growth. I am deeply grateful for your guidance and support throughout this process. Once again, thank you for the invaluable learning opportunity. ☺

Just completed this lab - set it up 3 days ago, got caught up and didn't get to finish till today. Had an absolute unit from the Netherlands log over 14k logon attempts. Next up is to configure a lockout policy lol. Incredible lab and a lot of the comments in here helped me navigate the changes. Can't say thank you enough, Josh!

Thank you for all you do Josh! You are amazing!

Hey Josh, great tutorial but it seems hard to cintue after 23.:30 as azure seems to have changed. There is no location in the Security Event Display for me to view the raw data containing Longitude and Latitude and finish the project

your channel is GOLDEN josh.... Im really glad you started youtube and was lucky to have found you bro!!!!!!

@JoshMadakor The option to extract data and create custom fields has been removed by Microsoft and replaced with "Data Collection Transformations", rendering this project extremely difficult to continue with if one is not familiar with Microsoft Azure. If you can somehow update this video, I think that would be a huge help! Thank you for all of your hard work!

You’re the best Josh. These videos have really helped me in my WGU journey. Six months ago I left healthcare and got my first tech support job, and now I’m transitioning to another one with even more pay and a better commute. I still haven’t cracked into cyber security yet, but I’m networking with my security analyst and SOC analyst friends to make inroads. These labs will certainly make my resume standout too! Hey, maybe when I get my first info sec job by this time next year you can interview me too! Only half kidding about that 😂

Josh pinned the comment for the Security Center/Data Collection, but here's full instructions so y'all don't have to suffer like I did. > Watch Josh's awesome video until 8:38 (VM and LAW are set up) and then go to "Microsoft Defender for Cloud" > Find and click on "Environment Settings" in lefthand toolbar > Find and click on the dropdown arrow immediately next to your Azure subscription to reveal the NAME of your workspace (this is a critical detail that cost me a lot of time and pain, also bear in mind everything has to be deployed in order for this step to work) > Click on the workspace name to open its settings > In settings, disable "SQL servers on machines" > In settings, enable "Servers" > click the save button in the top left next to the search bar > click on "Data Collection" in the lefthand toolbar > Select "All Events" and save by clicking on the "Save" button > jump back to Josh's awesome video and connect the VM to your LAW > ... > profit ALSO bear in mind that there is regional weirdness with Sentinel. For whatever reason, I could not add Sentinel to a US West 3 workspace even though the documentation said it Sentinel was "non-regional"...anyway, I used US East and it worked like a charm. Good luck lads and lasses, and thanks again Josh for the amazing content! :)

Josh I really want to thank you for making these videos. They're easy to follow and seriously helping me beef up my resume. Keep it up!

First of all, thank you so much for this video Josh Madakor. I started to study IT for almost a year now and I know nothing before, Cloud compute still a strange thing for me but this lab was so amazing experience. 2nd for those who confuse about how to extract Rawdata to split table in Log Analytic, you can input: failed_rdp_withGEO_CL #as in video | extend CSVFields = split(RawData, ',') #this line use to split output after comma into seperate value with "" and create new column | extend timestamp_CF = todatetime(CSVFields[8]) #choose value 9th in " " | extend label_CF = tostring(CSVFields[7]) | extend country_CF = tostring(CSVFields[6]) | extend state_CF = tostring(CSVFields[5]) | extend source_CF = tostring(CSVFields[4]) | extend user_CF = tostring(CSVFields[3]) | extend dest_CF = tostring(CSVFields[2]) | extend longitude_CF = tostring(CSVFields[1]) | extend latitude_CF = tostring(CSVFields[0]) | summarize event_count=count() by source_CF, tostring(latitude_CF), tostring(longitude_CF), country_CF, label_CF, dest_CF then go to Josh's script and delete other before ':' such as timestamp: or source: .The purpose is to show only data we want without explaination and ':' before value. You can find this line near the end of script It will show clear table with clear data and then continue with Azure Sentinel as video. Thank you

I just finished this video!! I can't Thank you enough!!! Thanks for sharing a such valuable information... You are helping and inspiring new cybersecurity students to get the experience we need! THANNK YOU!!!

PEOPLE IN 2024: Microsoft has CHANGED MANY FEATURES in Azure that are used in this video. For the query, ignore the part about extracting to custom fields and instead put in this KQL: FAILED_LOG_GEO_LC_CL |extend username = extract(@"username:([^,]+)", 1, RawData), timestamp = extract(@"timestamp:([^,]+)", 1, RawData), latitude = extract(@"latitude:([^,]+)", 1, RawData), longitude = extract(@"longitude:([^,]+)", 1, RawData), sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData), state = extract(@"state:([^,]+)", 1, RawData), label = extract(@"label:([^,]+)", 1, RawData), destination = extract(@"destinationhost:([^,]+)", 1, RawData), country = extract(@"country:([^,]+)", 1, RawData) |where destination != "samplehost" |where sourcehost != "" |summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude medium.com/@michaellopezcs17/how-to-create-a-siem-microsoft-sentinel-2024-46ab6c7cfb8c

Took me close to 5 hours but its up and running. Looking forward to more projects.

ive been looking into setting up sentinel lol i think itll be a major player one day seeing as alot of environments use O365 and Azure

This was super interesting, im working on a research assignment for SIEMs and now I really want to try this lab! All your videos have been really informative and interesting thank you!

Great video, thank you for helping me fill some experience on my resume!

@joshMadakor Microsoft has changed the Custom fields option , so right clicking on the result from a query does not show the extract fields option, any ideas to extract the raw data columns to get longitude , latitude etc would be appreciated

Glad I stumbled across this! I work in the Microsoft space (MSFT partner) and we're slowing moving away from just a UC shop to encompass the entire M365 suite (and eventually Azure security), so this is extremely helpful! Hope you continue to do more content like this!

This was a very interesting sim. I will remember to recommend it to those looking to get into cyber security. Are there other projects that you can create for experience?

I watched the video and I'm gonna tackle the lab soon. Very cool!

Hello Josh, thank you so much for taking the time to make videos like these. I plan to do a few of your projects to beef up my resume. But when doing this one, I keep getitng the error saying that I can't connect to the VM with an RDP. I've run all the necessary tests and it should be up and running, but something is keeping me from connecting. I have even tried it with my firewall completely turned off and still nothing. Getting error code 0x204. I even bought Pro just for this and it still isn't working :/

Man these labs really need attention from the cybersecurity audience.

Pretty nice, thanks for sharing, I am not a cybersecurity, but l would love to try this. This is vey cool.

Hey Josh. When creating the custom log, the Log Analytics Workspace keeps throwing the error, "Query could not be parsed at '' on line [3,0] Token: Line: 3 Position: 0" when I try to run the custom log. It throws the same error for all commands including the Security event. Any ideas? Edit: I had to run the logs from Sentinel and not the LAW. Talked to the support team and it was a weird bug. Everything else went great. Thanks so much for the help. I am going to school in the fall for cybersecurity at a local college. You have inspired me! Looking forward to the next video!

Thank you so much for this video. I cannot stress enough how much you have done for my professionalism and resume. You are the man!!!

Dump question but how do we make sure that nobody actually get to log on into the machine by brute forcing the password/exploiting other weaknesses ?

Hey everyone, I know I'm a bit late to the party on this project, but I just finished it up today (12/15/2023)! Due to some recent changes in the Microsoft Azure portal, the setup process is slightly different now compared to what you might have seen earlier this year. However, the overall steps are still quite similar. Big thanks to @Josh Madakor for this awesome lesson - I learned a ton!

The three dots next to the logs aren't there anymore and you don't have to expand the field just right click the title of log to extract

Further to my comment below a couple minutes ago, During the first try of setting up custom log, I was able to ingest the logs in log analytics. I could see the output to the query "Failed_RDP_Log_Geo_CL" but then trying to extract the fields from it never worked. So, I tried creating the new custom log (DCR-based) but this was way too difficult for me.... Anyhoo, appreciate all the help you have been providing. Cheers Josh

How the hell do we 'extract fields' ??? I'm stuck smh

Appreciate the video. Great and clear information. Really enjoyed getting some exposure to Azure Sentinel as well as a data from active attacks.

2 minutes into this video and its awesome! waiting for new videos Josh! Thankyou!!

Half way through and it's a great tutorial. I tried geolocating my IP address on the website you recommended and it said Birmingham UK when I live in London UK. There are other websites that came within a couple miles though!

Great video Josh! This was a lot of fun to set up. Love how well you explain everything

One obvious thing you can do to help you think which machine you are on (your native machine or the VM) is to change the appearance of the VM from your native one -- change the fonts it uses for display, some of the colors, things like that, so it looks radically different from your "normal" machine. Your brain will learn to key in on this info automatically, so it won't attempt to let you do something "in the wrong place".

Bro this is so much fun, I've got two from Iran a few hundred from the netherlands and even a few from my own country UK :) this was a really great video thank you

Great video!

Great video! I just finished this project last night and it was a fun awesome experience. You did a great job instructing us through and explaining each step. I’m going to make write my first blog post, thank you for all you do and your videos!

Gonna try this out today ! I just spun up two VMs yesterday

Thanks Josh, this helped to understand how we can track cyber attacks.

Josh Kudos for your efforts.. this is brilliant..

Great content. Thanks again for this tutorial with this parctice lab. This was a well worth 52:44 time.

Great video man, was really fun following along you this. Invaluable stuff, thank you very much

Thanks for the excellent video man. I had some trouble with setting up Azure Defender as the process you explained changed literally in the short timeframe in which you uploaded this video. I stayed with it thou and eventually found the section to enable it for my test vm and was able to follow all of the other steps with no problems. Currently studying the SSCP and just listened to a DarkNet diary per your recommendation in another one of your videos. So glad YT recommended you man, keep doing your thing.

Great content. Your channel will blow up in 2 years 100% guaranteed.

this channel has been a god send for me!

Thank you so much, Josh for this content. This was a very awesome lab to follow along to. Happy New Year!

Bro awesome content keep making impressions you are helping lots of people

In love with this channel

Thank you so much for this!! You kept it so simple and straight forward.

for anyone having troubles with security center type data collection rules in azure search bar then click create and set your window event logs ingestions rules right there also for custom logs to be ingested you have to create another DCR with a data collection endpoint with a path pointing to the failed_rdp.log . To make it simple monitor section is the new security center in Azure. Lastly make sure you rdp into your windows vm and run the log exporter powershell script if you're not getting the failed_rdp_with_geo log populated in azure

I did this on my home lab and I'm curious to do more tweaking on sentinel. Keep up the good work and thanks for sharing this valuable content. It helps security professionals and cloud engineers to break into job market or learn a new tech. You're the best.

Thanks a lot… this is on my resume, LinkedIn and I will do a video recap. Appreciate it

Hi Josh, you make me wish to do Cyber security. Keep up with the good work.

Hey josh, please create more videos like this. This is really helpful.

Thank you Josh , Took me an entire day getting this done , but hats off to you . Amazing content , will definitely be getting this on my Cv .

Just finished this lab! THX you so much. I am going to put this on my resume. I definitely think this will help since i just got my sec+