HoneyPot and SIEM through Azure

This was a fun project I just finished (HoneyPot and SIEM). I started by setting up an Azure subscription through my student access, providing me with access to tools like Tenable and Defender for Endpoint. Once I could access the Azure portal, I created a Windows 10 virtual machine to serve as a HoneyPot. I adjusted the network settings to allow ALL inbound traffic and turned off the Windows Firewall to ensure it was fully Exposed. After that, I simulated a few failed login attempts using a fake username like “employee,” then logged into the VM and checked the Event Viewer to confirm those attempts were recorded (event ID 4625). Next, to centralize and monitor the logs, I created a Log Analytics Workspace and connected it to Microsoft Sentinel. I set up the connectors and data collection rules, then verified that logs were flowing in. From there, I was able to query the data both in the workspace and directly through Sentinel via a Heat Map to see where my attackers were coming from and IP addresses. In one hour of running my virtual machine, I had about 500 hits. Here's a step-by-step guide on how you can achieve this as well.

PROJECT

3/22/20251 min read

Part 1: Setup Azure Subscription

  • Create an Azure Account: Sign up for a Free Azure Subscription.

  • Alternative Options:

    • If the free tier is unavailable, use a paid subscription but manage your resources responsibly.

    • Alternatively, join the Cyber Range for a flat fee that includes Azure access and additional cybersecurity resources (Tenable, Defender for Endpoint, courses, labs, etc.).

  • Access the Portal: Once setup is complete, access Azure at portal.azure.com.

Part 2: Create the Honeypot (Azure Virtual Machine)

  • Create a VM:

    • Use the Azure Portal to create a Windows 10 Virtual Machine.

    • Choose a cost-appropriate size (Cyber Range users will have limits).

  • Security Settings:

    • Go to the Network Security Group and allow all inbound traffic.

    • Log into the VM and disable the Windows Firewall (wf.msc → Properties → Turn off all profiles).

Part 3: Login Attempts & Event Logs

  • Simulate Attacks: Attempt 3 failed logins using a dummy username like "employee".

  • Inspect Logs:

    • Log into the VM.

    • Open Event ViewerSecurity Logs.

    • Look for Event ID 4625 showing the failed login attempts.

Part 4: Log Forwarding & KQL (Kusto Query Language)

  • Create Logging Infrastructure:

    • Set up a Log Analytics Workspace (LAW).

    • Deploy Microsoft Sentinel and connect it to the LAW.

  • Data Collection Configuration:

    • Use the “Windows Security Events via AMA” connector.

    • Create a Data Collection Rule (DCR) and monitor for extension creation.

  • Log Queries:

    • Query logs from the Log Analytics Workspace.

    • Use Microsoft Sentinel as an SIEM to perform direct log analysis.