This project documents the setup and analysis of a honeypot deployed in Azure to observe global attack patterns. Using Azure Sentinel, Microsoft's cloud-native Security Information and Event Management (SIEM) tool, we monitored failed Remote Desktop Protocol (RDP) login attempts on a deliberately vulnerable Windows virtual machine (VM). Enriched logs were visualized on a world map to highlight the geographic origins of attacks.
The goal was to explore the ease with which exposed systems are discovered and targeted while showcasing Azure Sentinel's capabilities in log ingestion, custom enrichment, and threat visualization.
A Windows VM was deployed in Azure and configured without firewalls to simulate a vulnerable endpoint. This setup allowed attackers to discover and target the system with brute-force RDP login attempts.
A Log Analytics Workspace was created to collect security logs from the VM. This served as the central repository for raw event data and custom logs created during the enrichment process.
A PowerShell script was utilized to:
-
Extract attacker IP addresses from failed RDP login events.
-
Query a geolocation API to retrieve geographic details (country, latitude, longitude).
-
Write enriched logs to a custom log file for further analysis.
Sentinel was configured to connect with the Log Analytics Workspace, enabling advanced threat analysis and visualization. Custom logs were parsed, and enriched data was mapped to visualize global attack origins.
-
Setting Up the Honeypot VM
A Windows virtual machine was deployed with its external firewall and Windows firewall disabled. This configuration ensured the system was highly discoverable by attackers, serving as an ideal honeypot for logging malicious activities. -
Configuring Log Analytics Workspace
The VM's security event logs were connected to a Log Analytics Workspace. This allowed the collection of failed RDP login attempts, which were essential for the subsequent enrichment process. -
Geolocation Data Enrichment
A PowerShell script was run on the VM to process failed login events. The script extracted attacker IP addresses and queried a geolocation API to retrieve country, latitude and longitude, and state/province. The enriched data was saved as a custom log file and ingested into the Log Analytics Workspace. -
Visualization with Azure Sentinel
Using Azure Sentinel, a custom workbook was created to display the enriched data on a world map. The map plotted attacker origins by latitude/longitude or country, highlighting the global scale of the threats.
Attack Trends
Within 16 hours of deployment, the honeypot attracted hundreds of login attempts from multiple countries, including:
- Egypt
- Morroco
- Russia
- Netherlands
Attackers frequently targeted common usernames like "administrator," Test, and the computers' hostname: "honeypot." Most of the traffic appears to be brute-force traffic.
Exposed Hosts are Rapidly Targeted: The honeypot demonstrated how quickly vulnerable systems are discovered and attacked, underscoring the importance of strong security configurations.
Log Enrichment Enhances Insights: Geolocation data provided threat intelligence on what countries are likely to attack systems.
SIEM Capabilities in Action: Azure Sentinel's integration with Log Analytics allowed for effective visualization and analysis of the data.
- Explore Sentinel's advanced features, such as alerting and automation.
- Test additional protocols beyond RDP to broaden the scope of analysis.
- Implement more efficient methods for log enrichment and ingestion.
This lab draws inspiration from Josh Makador's SIEM Tutorial.
While following his guidance, adjustments were made to account for changes in Azure's interface and updated log ingestion processes. Additionally, a query-based approach was utilized instead of relying on custom fields.
Azure, Microsoft Sentinel, Powershell, API, Automation, SIEM, Log Analysis, Data Enrichment, Threat Analysis