Create Your First Project
Start adding your projects to your portfolio. Click on "Manage Projects" to get started
Azure SEIM
Date
April 2023
This is a Azure Seim that Monitors attacks from a honey pot exposed to attackers.
STEPS
1.Resource GROUP
CREATE A RESOURCE GROUP THIS WILL HOST ALL OF THE RESOURCES FOR THIS PROJECT
2. Create VM
NEXT I HAVE TO CREATE A VIRTUAL MACHINE. NAME IT HONEYPOT. I USED A B1MS STANDARD SIZE WITH A WINDOWS 10 PRO 21H2 IMAGE . USERNAME: HONEYPOT Winnied@p00h
3. CREATE A FIREWALLL
WE WILL GO TO ADVANCED AND CREATE A FIREWALL. WILL ALLOW ALL TRAFFIC THROUGH THE FIREWALL. I DID THIS TO MAKE THE VM VERY DISCOVERABLE FOR PEOPLE TO DO SYN SCANS AND PING THE VM. THAT WAY I CAN COLLECT THE TRAFFIC
4. VM is created
Now our vm is created.
5.Log Anayltics
NEXT I HAVE TO CREATE A LOG ANALYTICS WORK SPACE.
6. Setting UP GATHERING VM LOGS IN SECURITY CENTER
NEXT WE HAVE TO SETUP THE ABILITY TO GATHER VM LOGS IN SECURITY CENTER WE HAVE TO TURN ON MICROSOFT DEFENDER AND SETUP THE SERVER. https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-
7.Azure anayltics work space
We will setup azure sentinel by choosing azure anayltics work space
8. Connect to vm through public IP
Connect to vm through public IP
10.
IN THE VM WE WILL OPEN EVENT VIEWER AND LOOK AT THE LOGS ON THE VM. WE MIMIC A BAD LOGIN AND TAKE THE IP FROM IT.
11.
THEN I WILL USE IPGEOLOCATION.IO TO DETECT THE LOCATION OF ATTACKS
12.
TURN WINDOWS FIREWALL off SO THE VM CAN RECIVE ICMP ECHO CALLS
13.
We willl then use a powershell script which will use a api key from ipgeolocation.io to receive geo data. And looksthrough event log and the IP address of failed logins to trace location. It also will create sample data if no log is ready.
​
​
https://github.com/Diealegend/Scripting/blob/main/Cybersecurity/Ipgeolocation.ps1
14.
Go to azure and create custom log in to bring in custom log by coping the contents. Make sure in the custom log settings to put the directory in which it will pull the log data from.
​
​
​
​
​
​
15.
IN MY LOGS NOTHING SHOWED UP FOR SECURITY EVENTS.
​
16.
WE RUN OUR TABLE LOG QUERY FOR OUR IMPORT YOU MIGHT HAVE TO FAKE LOGIN MULTIPLE TIMES TO GET ITEMS TO SHOW. FAILED_RDP_WITH_GEO_CL
17.
NEXT WE WILL SETUP A MAP IN SEINTNEL IN WORKBOOKSWE MUST USE THIS QUERY : Sentinel Map Query: FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF | where destinationhost_CF != "samplehost" | where sourcehost_CF != ""
At the end of this project I realize I am unable to use this query. So I used a KQL query to pull the data.
18.
I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.
https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt
18.
I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.
https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt
19.
FROM MY FINDINGS IT IS MOSTLY SOUTH KOREA TRYING TO EXPLOIT US. I BELIEVE THEY ARE USING A BRUTEFORCE BECAUSE IT IS THE SME NAMES BUT MORE FAILED LOGINS
20.
I THEN SETUP MY MAP FROM THE QUERY.
​
​
​
​
​
​
​
​
​
​
21.
The map then has a heat map of all our attacks.
​
​
Lessons Learned
This project taught me some things I already knew like ensuring that firewalls need to be properly set. As in the project we see multiple countries(mostly south korea since the documentation of this pro try to attack this VM they mostly used Usernames like admin, administrator, test, and various service accounts. The other lesson I learned is that changes in technologies may force you to do things differently original I would have been able to funnel the attack log to my map with a simple custom log. But instead, I had to create a query to parse the data and plant the heat map.