This project of mapping honeypot attacks with Azure Sentinel SIEM follows the process explained by Josh Makador in this video demonstration. All screenshots are my own.
Step 1 – Create a Microsoft Azure Subscription
I will not elaborate on this step as minimum knowledge of Microsoft Azure is expected to create this honeypot project.
Step 2 – Create an Azure Virtual Machine
The specs on the virtual machine you create are up to you to decide. I will list the specs I used for my honeypot VM (virtual machine).
- Image: Windows 10 Pro, version 20H2 – Gen2
- Size: Standard_D2s_v3 – 2vcpus, 8 GiB memory
- Inbound Port: RDP (3389)
- OS Disk Type: Standard SSD
- NIC Network Security Group: Advanced (make a new security group)
- In the new security group, remove the existing default inbound and outbound rules.
- Create a new inbound security rule with the following settings
- Source: Any
- Source port ranges: *
- Destination: Any
- Service: Custom
- Destination port ranges: *
- Protocol: Any
- Action: Allow
- Priority: 100
- Name: ALLOW_ALL
Step 3 – Creating the Log Analytics Workspace
Create a new Log Analytics Workspace so that Azure Sentinel can connect to the log data and then map it.
Use the same resource group when creating a new workspace.
Step 4 – Microsoft Defender for Cloud Configuration
Go to the Microsoft Defender and install the agent on your subscription if this is your first time using the service.
Once the agent has been installed, go to the Environment Settings option in the left menu and select your subscription.
Then select the box that says Enable all Microsoft Defender for Cloud plans.
Now click the Data collection menu option and select the radio button for All Events and save the settings.
Step 5 – Connect the Log Analytics Workspace to the Virtual Machine
At this point, the Log Analytics Workspace should be instantiated so now you can connect it to your Virtual Machine which was provisioned earlier.
Go to the Workspace and look for the menu option that says Virtual machines. In that subsection, you can click on your honeypot machine and then connect it to the workspace.
Step 6 – Configuring Microsoft Sentinel
You may need to add this Microsoft Sentinel plan to your subscription if this is the first time using it.
Once added to the subscription, then you can connect it to the Log Analytics Workspace you made earlier.
Step 7 – Disabling the Firewall in the Virtual Machine
RDP into the virtual machine to disable Windows Firewall settings and allow it to be reached by anyone in the world through ICMP echo requests.
Open the Windows Firewall and make the following adjustments to the settings.
- Click Windows Defender Firewall Settings
- On Domain Profile tab, change Firewall state: Off
- On Private Profile tab, change Firewall state: Off
- On Public Profile tab, change Firewall state: Off
You can now ping your virtual machine from your host machine to test that it is reachable.
Step 8 – Scripting the Security Log Exporter
This script was created by Josh Makador for this project. There only part of this script that needs to be modified is the $API_KEY on line 2.
Sentinel-Lab/Custom_Security_Log_Exporter.ps1 at main · joshmadakor1/Sentinel-Lab · GitHub
Save this PowerShell script in the virtual machine.
Now make an account with Free IP Geolocation API and Accurate IP Geolocation Database
This account is free for 1000 API calls per day. This can be sufficient, but to see more data, it is recommended to pay the $15 monthly fee to acquire 150,000 requests per month. You can cancel your subscription after completing this project if you do choose to pay for the higher request limit.
Once you have an account with the IP Geolocation service, acquire your API key and update line 2 in the PowerShell script with your key.
The script will export data from the Windows Event Viewer to then import into the IP Geolocation service. It will then extract the latitude and longitude and then create a new log called failed_rdp.log in the following location: C:\ProgramData\failed_rdp.log
Run the script in the PowerShell ISE in the virtual machine. It will constantly produce log data from this point forward.
Step 9 – Create Custom Log in Log Analytics Workspace
Now we will create a custom log to import the additional data from the IP Geolocation service into Azure Sentinel.
Go to the Log Analytics Workspace and click on the menu option for Custom logs.
Azure will ask for a log file to be uploaded. Since the log is on the virtual machine, you will need to copy the contents into a new log file on your host machine and then upload that log file to Azure. This is used to train Log Analytics Workspace to extract specific pieces of data from the real logs.
In the Create a custom log option, it will ask for a collection path. This path will have the following settings.
- Type: Windows
- Path: C:\ProgramData\failed_rdp.log
- Name: FailedRDP_CL
Step 10 – Query the Custom Log
In Log Analytics Workspace, click on the menu option for Logs. This will create a window with a section for queries and their results underneath. Once the custom log has finished instantiating, you can then run a query against this log to see the data being extracted.
Once the custom log has been created in Azure, run a query against it to see the data available. In my case, the name of the custom log is FailedRDP_CL.
This will produce a number of results. Click on the arrow for any result and then click the three dots icon for the option to Extract fields.
Step 11 – Extract Fields from the Custom Log
Now in the RawData section of the log, you will see something like this.
latitude:47.91542,longitude:-120.60306,destinationhost:samplehost,username:fakeuser,sourcehost:24.16.97.222,state:Washington,country:United States,label:United States – 24.16.97.222,timestamp:2021-10-26 03:28:29
Highlight the value after the : and then in the modal window, name the Field Title the name of the field of the value.
For example, highlight 47.91542, when the modal appears, name the Field Title, latitude. If the search results data looks good, then click the Save extraction button.
Do this for all the available fields in the RawData.
Step 12 – Map the Data in Azure Sentinel
In Azure, go to Sentinel and then look at the Overview page to see the available events.
Click on Workbooks in the left menu and then Add workbook then click Edit.
The new workbook will come with a few default widgets. Edit these widgets to delete them from the workbook. We will be creating our own.
Add query which will bring up the query and results window.
Copy/Paste the following query into the query window and then Run Query.
FailedRDP_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF | where sourcehost_CF != ""Once the results appear, then click on the Visualization dropdown and select Map to see the World Map.
