by: arnolddlvPosted on:

Azure Honeypot & SIEM

During my time studying for the CompTIA Network+ exam, I learned what a SIEM is. SIEM stands for Security Information and Event Management, and is a tool that helps organizations monitor and analyze their security-related data from different sources to detect and respond to cybersecurity threats. In todays world theres always a new security breach, whether it may be Yahoo, Equifax, etc all costs these companies millions of dollars.

Why is a SIEM important? Here’s a few reasons why:

  • Real Time visibility: A SIEM can give you real-time visibility into the security of your organiztion. By collecting data and matching up data from multiple sources, a SIEM can detect security incidents that would probably have gone unnoticed pretty quickly
  • Threat detection: A SIEM helps detect a wide range of security threats, which may include malware, phishing attacks, unauthorized access attempts and other suspicious activities
  • Incident response: A SIEM can help organizations respond quickly to security incidents. By alerting security teams in real-time, a SIEM can help reduce the time it takes to detect and respond to security incidents, minimizing the impact of a security breach.
  • Compliance: A SIEM can help organizations meet compliance requirements. There are many regulations that require organizations to monitor and analyze security data and a SIEM Can help you do that.
  • Centralized management: a SIEM can help organizations manage their security data from a centralized location. this can help improve efficiency and reduce the risk of errs and make it easier to manage security policies and procedures

So today, I decided to a set up a SIEM on Microsoft Azure with Sentinel.

To start, I made a VM on Azure, running windows 10 pro.
We want to make this VM as vulnerable as possible for this project so we can track hackers who are trying to get into our VM with the SIEM we are going to make. To do this, we reduce the defenses on this VM and allow Any incoming connections.
Here we are enabling Microsoft Sentinel to collect all events for data collection.
Here inside our VM we can see Event Viewer and can see all the login attempts.
Again, to make this VM as vulnerable as possible to attacks, I disabled the firewalls on the VM. To make sure it could accept any incoming connections I set a ping -t command.

I ran into the issue that I kept getting request timed out even after disabling the firewall on the VM. Obviously, if this were a real thing, this would be good. But since we want this VM as vulnerable as possible for the project, I had to figure out why it still wasn’t able to connect. So I went into Azure and double checked my work on the VM inbound port rules. I found that I did not click save on the inbound port rules we made when we originally were setting up the VM to allow ANY inbound connections. I fixed this by adding the DANGER_ANY_IN inbound port rule again with a priority of 100 so it would get more priority over every other rule on it. And this time I saved it.
After this, the ping -t was finally getting a reply from the VM. Now we can continue, our VM is as vulnerable as it can be.
Next, we got a PowerShell script off Github that will export logs for Event Viewer. For the script to work you need to get an API key off https://ipgeolocation.io/, which allows us to get latitude, longitude, etc. so we can use it for our SIEM map.
Next, we made a custom log to bring in our custom log (FAILED_RDP_WITH_GEO_CL). To do this we connected a notepad file to our custom log. From here, we want to separate each field, such as latitude, longitude, sourcehost, etc. as right now they are all bundled up in the “RawData” column.

Here we are making each custom field we need to make the SIEM map. We ended up making a custom field for:

  • country
  • state
  • sourcehost
  • destinationhost
  • longitude
  • latitude
  • timestamp
  • label
Next we go into Sentinel and create a new workbook. This will show us our map. To do this we ran this query showed in the screenshot above. This query summarizes data from the FAILED_RDP_WITH_GEO_CL table and filters the results to exclude any rows where the destinationhost_CF field is equal to “samplehost” and the sourcehost_CF field is empty or blank. The query returns the remaining results in a table with columns for each of the summarized fields and a count of the events that match each combination of field values.
Here we are setting up the visual map. We will configure the layout to use Latitude/Longitude. For latitude we set it to latitude_CF and longitude to longitude_CF.
Here is our World Map that now shows us live failed login attempts with RDP. Those 5 login attempts were me giving it some failed logins just to see if they were popping up. The 2 failed attempts in Germany were real. As we let this run we will see more failed login attempts.

Doing this project made me realize just how important cybersecurity is in todays world. As you can see, we just right now set up a VM on Azure and it is now already receiving attempts to log in within a few minutes of creating it.

With the increasingly growing reliance on technology and the internet, cyber threats are becoming more complex and frequent, and they can have serious consequences for people, companies, and the general public as a whole. And a tool like a SIEM could help keep these threats at bay.

Leave a Reply

Your email address will not be published. Required fields are marked *