With the aim of obtaining more exposure to a SIEM, I completed a project in which a virtual machine VM acted as a honeypot to attract attacks from different IP addresses located in different regions worldwide. The data from those attacks was extracted from Windows event viewer and logged using a log work analytics in Azure. This data was forward to a third-party API to derive the geolocation of the attack with the aim of displaying these statistics on a map to identify where all the attacks were coming from. The image above is a representation of the process, and the details of each step are shown below:
1. A virtual machine was set up on the Azure Portal. Its external firewall and windows firewall was turned off so that all traffic from the internet was allowed.
2. After that a log analytics workspace responsible for capturing logs from the windows event logs of the virtual machine was created. In addition, the ability to gather logs was enabled using the security centre of azure.
3. Azure sentinel was set up to act as a SIEM that later would be used to create a map that displayed all the different attacker data with the aim of visualising from which country the attacks were coming.
4. From the VM a custom PowerShell script was used to extract the IP addresses from failed RDP logs to forward them to a third-party IP geolocation API to derive the latitude, longitude, and other details. These details were sent back to the VM to create a custom log with geographic data in it.
5. A custom log was created inside the log analytics workspace to bring the customise log that contained the geographic data of the attack. Once the data was obtained certain fields from the raw data were extracted to make their own fields.
6. In the end, the geo data was mapped using Azure Sentinel by creating a new workbook that used a specific query that contained the information that would be displayed.
To learn more about this project and see the process in action, click below to watch the video.