This project will explain how to setup a basic SOC using Azure. We shall setup a honeypot VM the forward the logs generated to central repository. We shall then integrate Microsoft Sentinel to analyze the attack data.
Prerequisite
Azure free subscription account.
Create Resource Groups & Virtual Network
We shall create a Resource Groups leaving all the configurations as default. For our case it will be my-first-rsg on Central India region.
We shall then create a Virtual Network (Vnet) my-first-vnet under the Resource Group we earlier created, leaving all the configurations as default. This has be under the same region which is Central India.
As shown in the image above, we will create a virtual machine named DataAnalysis-Server running a Windows Server 2019 Datacenter OS. We shall use size Standard B2S for the purpose of this project.
Once you're done with the configuration, you can deploy your newly created virtual machine as shown above.
From the Resource Groups, we will modify the Network Security Group. We will delete the default Remote Desktop Protocol (RDP) rule and we will create a new rule that opens all ports from any source. We shall name this rule DangerAllPortsAllowed as shown above.
Using Windows Remote Desktop Protocol (RPD), input the IP Address, username and password to log into the newly created virtual machine.
In the VM, open Windows Firewall and turn off all the Windows Defender Firewall Properties as shown above.
We can confirm if the VM is reachable by pinging it from our local machine as shown above.
We then create a Log Analytics workspace to collect our VM logs.
We will then create a Microsoft Sentinel and add the newly created Log Analytics workspace we just created.
On the Microsoft Sentinel page, under Content management on the Content hub. We will search and install the Windows Security Events tool which will allow us to connect the Log Analytics workspace to our newly created VM as shown above.
We shall then configure the Windows Security Events via Azure Monitoring Agent (AMA).
We will then create a data collection rule that our VM will use to forward logs into our Log Analytics workspace which eventually allows us to access them in our SIEM. Once this is done, we can switch back to the Azure VM window and on our VM under Settings: Extensions + applications we should start see the AMA installed.
Once this is properly configured, we can query the logs using KQL as shown below.
We check back two hours later and we can see thousands of login attempts on our virtual machine.
We can try query the last one minute to see how many attacks we record per minute.
And we can see 9 failed login attempts to our virtual machine in the last minute.
We will then create a Watchlist in the Microsoft Defender portal and upload the geographically mapped ip address spreadsheet: geoip-summarized.csv. Once uploaded the document should be as shown below.
Using a simple KQL query we can get to highlight one specific attacker from Netherlands who has tried to login to the computer over 900 times as seen below.
We will create a Sentinel workbook in order to plot the attack in a bar graph. We will then use the JSON query as shown on the image below.
We can visualize the data as a bar graph using the workbooks.
Conclusion
It is very important to always install your security updates as soon as they become available.
Only open necessary ports for the time you need it for.
Top comments (0)