Can you analyze logs from an attempted RDP bruteforce attack?One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there!
https://blueteamlabs.online/home/challenge/bruteforce-16629bf9a2
To begin, I unzipped the file and found three versions of the logs: a .txt, .evtx, and .csv file. These contain the same data in different formats. While the .evtx file can be viewed using the Windows Event Viewer, I chose to analyze the logs using the Linux command line.
First, I used cat to inspect the structure of the log and identify useful keywords that i will use grep into
Once I confirmed that "Audit Failure" appeared consistently in relevant entries, I used the following command to count them:
grep -i -c "Audit Failure" filename.txt
i makes the search case-insensitive
c counts the number of matches
for the rest of the questions i see what he wants and grep it