SIEM, the security event information management system, is a critical tool utilized within organizations to detect and respond to potential security threats.
I wanted to see how simple it could be to make my own version of this using a virtual machine (VM) as a honeypot to lure potential attackers.
There are videos on YouTube that already go over this, but this is how I went through this using a homemade SIEM lab within Azure and visualizing attacker data using Microsoft Sentinel.
Setting Up the Environment
To get started, I created a new Azure account, a virtual machine, and a resource group. To make the VM more discoverable to potential attackers, I also established a weak inbound security rule.
Next, I set up a Log Analytics workspace, which serves as the central repository for storing logs, specifically the Windows event logs from the VM.
Enabling Log Gathering
Using the Azure Security Center or Microsoft Defender, I enabled the ability to gather logs from the VM and send them to the Log Analytics workspace. This process involved enabling Microsoft Defender or foundational Cloud Security Posture Management (CSPM) capabilities.
Deploying Microsoft Sentinel as the SIEM
I then set up Microsoft Sentinel. This is our SIEM which is used to visualize the attack data. (We select the log analytic workspace that we want to connect to.)
Connecting VM to Log Analytics Workspace
With the VM now connected to the Log Analytics workspace, we can start gathering information.
Exploring Event Viewer Logs
By connecting to the VM via RDP, I had access to the Event Viewer logs. (I specifically looked for failed login attempts through RDP.)
An important note to mention as well is that I ensured Firewall was turned off on the machine so that it will be susceptible to pings (ICMP requests). This will allow attackers to discover it faster.
Automating the Geo-Location of Attackers
Using a PowerShell script (Sentinel-lab, GitHub). I automated the process of gathering the IP addresses of attackers from the Event Viewer logs. Additionally, I used a geo-location program to determine the exact location of these IP addresses, including country and city information. This data was then compiled into a log file.
Custom Log Integration
To automate the tracking of failed login attempts, the custom log file was continuously updated every time a new attempt occurred.
Testing the SIEM
With the custom log file containing geo-location data, I was able to set the direct path to it via the Log Analytics workspace for analysis.
Visualization with Microsoft Sentinel
In Microsoft Sentinel (the actual SIEM), I created a workbook with a custom query to visualize the data on a map. This allowed me to see the geographic locations of the attackers attempting to breach the VM.
And almost immediately, while going through this, I was able to see the attackers attempting to break in. Most of the attempts were coming from IPs located in Saudi Arabia but also from Japan. (The failed attempts in the United States were my tests.)
So just like that I was able to create a basic honeypot and SIEM interface in Azure that provides some good insight.
This goes to show the potential threats attackers pose for weak security and how these activities can be monitored and tracked. While this is a pretty basic setup, I believe it lays the groundwork for implementing more sophisticated security measures and alerts to safeguard systems against real-world threats