top of page

Create Your First Project

Start adding your projects to your portfolio. Click on "Manage Projects" to get started

Azure SEIM

Date

April 2023

This is a Azure Seim that Monitors attacks from a honey pot exposed to attackers.

STEPS 

 1.Resource GROUP

CREATE A RESOURCE GROUP THIS WILL HOST ALL OF THE RESOURCES FOR THIS PROJECT

2. Create VM

NEXT I HAVE TO  CREATE A VIRTUAL MACHINE. NAME IT HONEYPOT. I USED A B1MS STANDARD SIZE WITH A WINDOWS 10 PRO 21H2 IMAGE  . USERNAME: HONEYPOT Winnied@p00h

3. CREATE A FIREWALLL

WE WILL GO TO ADVANCED AND CREATE A FIREWALL. WILL ALLOW ALL TRAFFIC THROUGH THE FIREWALL. I DID THIS TO MAKE THE VM VERY DISCOVERABLE FOR PEOPLE TO DO SYN SCANS AND PING THE VM. THAT WAY I CAN COLLECT THE TRAFFIC

4. VM is created

Now our vm is created.

5.Log Anayltics 

NEXT I HAVE TO CREATE A LOG ANALYTICS WORK SPACE.

6.  Setting UP GATHERING VM LOGS IN SECURITY CENTER

NEXT WE HAVE TO SETUP THE ABILITY TO GATHER VM LOGS IN SECURITY CENTER WE HAVE TO TURN ON MICROSOFT DEFENDER AND SETUP THE SERVER. https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-

7.Azure anayltics work space

We will setup azure sentinel by choosing azure anayltics work space

8. Connect to vm through public IP

Connect to vm through public IP

10. 

IN THE VM WE WILL OPEN EVENT VIEWER AND LOOK AT THE LOGS ON THE VM. WE MIMIC A BAD LOGIN AND TAKE THE IP FROM IT.

11.

THEN I WILL USE IPGEOLOCATION.IO TO DETECT THE LOCATION OF ATTACKS

12.

TURN WINDOWS FIREWALL  off SO THE VM CAN RECIVE ICMP ECHO CALLS

13.

We willl then use a powershell script which will use a api key from ipgeolocation.io to receive geo data. And looksthrough event log and the IP address of failed logins to trace location. It also will create sample data if no log is ready.

https://github.com/Diealegend/Scripting/blob/main/Cybersecurity/Ipgeolocation.ps1

14.

Go to azure and create custom log in to bring in custom log by coping the contents. Make sure in the custom log settings to put the directory in which it will pull the log data from.

15.

IN MY LOGS NOTHING SHOWED UP FOR SECURITY EVENTS.

16.

WE RUN OUR TABLE LOG QUERY FOR OUR IMPORT YOU MIGHT HAVE TO FAKE LOGIN MULTIPLE TIMES TO GET ITEMS TO SHOW. FAILED_RDP_WITH_GEO_CL

17.

NEXT WE WILL SETUP A MAP IN SEINTNEL IN WORKBOOKSWE MUST USE THIS QUERY : Sentinel Map Query: FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF | where destinationhost_CF != "samplehost" | where sourcehost_CF != ""

At the end of this project I realize I am unable to use this query. So I used a KQL query to pull the data.

18.

I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.

https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt

18.

I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.

https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt

19.

FROM MY FINDINGS IT IS MOSTLY SOUTH KOREA TRYING TO EXPLOIT US. I BELIEVE THEY ARE USING A BRUTEFORCE BECAUSE IT IS THE SME NAMES BUT MORE FAILED LOGINS

20.

I THEN SETUP MY MAP FROM THE QUERY.

21.

The map then has a heat map of all our attacks.

Lessons Learned 

This project taught me some things I already knew like ensuring that firewalls need to be properly set. As in the project we see multiple countries(mostly south korea since the documentation of this pro try to attack this VM they mostly used Usernames like admin, administrator, test, and various service accounts. The other lesson I learned is that changes in technologies may force you to do things differently original I would have been able to funnel the attack log to my map with a simple custom log. But instead, I had to create a query to parse the data and plant the heat map.

bottom of page