Open in app

Sign in

Write

Sign in

SIEM | Azure Sentinel | Honeypot

Tallis / Jayteaare
5 min readNov 27, 2021

To start, we need to make an account and then navigate to portal.azure.com.

Then type virtual machine in the search box at the top and click it.

Hit create, then virtual machine
Set all options, names, user/pass etc, hit next through drives, on network hit advanced and create new, add, set your settings, ok, and then create.

While this VM deploys, search for Log Analytics Workspaces. Make sure to connect it to the VM.

Next, search for Microsoft Defender for Cloud, and click whatever you named the Honeypot (I had to use the drop down under my subscription).

Click Enable all Microsoft Defender Cloud plans, turn SQL servers off below, then save. Then go into environment settings, and set auto provisioning set (log all events).

Go back to Log Analytics Workspace. Click log, then Virtual Machines, and make sure to connect VM to the Log.

After that, go to Microsoft Sentinel. Create and then connect it to the Log Analytics Workspace you made.

At this point, g back to your virtual machine, copy the IP, and then open remote desktop. Use the IP and your login creds from when you made the VM.

I forgot to get screenshots here, so this part will be text based.

From here you can set up Edge, and go to the Event Viewer to look at Security.

First, search for wf.msc on the VM. Click Windows Defender Firewall Properties and turn it off on the tabs for domain and public.

Second, copy the script found here: Sentinel-Lab/Custom_Security_Log_Exporter.ps1 at main · joshmadakor1/Sentinel-Lab (github.com) | After you copy this, open up PowerShell ISE, click new, and paste the code.

Before saving there is one more step. Go to ipgeolocation.io. Sign up for account and take the API key in your dashboard and insert it into the script. Then save the file as whatever you want on the desktop.

Your log for failed RDP will be sent to C:\ProgramData\failed_rdp.log. To access this you need to use run and type the path C:\ProgramData\ (it is hidden).

Now, you can hit the start button on PowerShell ISE and let it go. The log should generate immediately with sample hits, give it some time and people from all over the world will find your machine. I had Russia hitting it within 5 minutes.

Now, go back to Log Analytics Workspace, create a custom log (with the path to the log file that is saved on the VM). After that you can go to logs and search for it (by name) to see results.

The next part is extracting the data into tables so we can use it later for the map. Click the 3 dots as seen below. Extract data by highlighting and naming (make sure to write down what you’re naming these for later).

While you give the custom log some time to populate, go back to Sentinel and click on the one you created earlier. Then hit workbook, add workbook, and edit. You can remove the default widgets, then hit add query.

Select Map for visualization. After that copy and paste the following command into the script line:

FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF | where destinationhost_CF != “samplehost” | where sourcehost_CF != “”

Make sure to switch the names with whatever you named yours.

Change the map settings to either visualize by lat/long or country.

This is what the map looked like literally 2 hours into my honeypot:

This was awesome! Great experience, knowledge that will last a life time.

--

--

Tallis / Jayteaare

Written by Tallis / Jayteaare

2 Followers

https://tryhackme.com/p/jayteaare | https://github.com/Jayteaare

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams