If you use sysmon, modify the script and make AbuseIPDB call when conditions apply (RDP conns):

Hi! Thank you so much for your hard work! How do I make the same thing for Windows?
1
Defender
SOCFortress
·Follow
Jul 3, 2022
--
If you use sysmon, modify the script and make AbuseIPDB call when conditions apply (RDP conns):
(metadata = win.eventdata.sourceIp, and triggered by = Public IP address)
If you don’t use sysmon, find windows security events related to AUTHs (non local) and apply same logic to the metadata that includes the remote IP.
--
--
Written by SOCFortress3.9K Followers
·2 Following
SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).
Responses (1)
Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams