The project's initial phase entails the establishment of an Azure account, coupled with the activation of a free subscription. Subsequently, we proceed with the configuration of a Virtual Machine to fulfill the project's objectives. Initiate the process by establishing a log analytics workspace with concurrent log-gathering activation. Next, establish connectivity between the log analytic workspace and the virtual machine. To culminate the setup, configure Microsoft Sentinel to visualize the attack data and function as a Security Information and Event Management (SIEM) solution.
Create an Azure Account with the free trial subscription
Create a Virtual Machine
Create a Log Analytics Workspace
Enable Log Gathering with Microsoft Defender for Cloud
Connect Log Analytics Workspace to the Virtual Machine
Create a Virtual Machine Page
3. Create a new resource group and name it: Lab-Honeypot
Create a new resource group
4. In the Basic tab - Change instance details:
- Virtual machine name: honeypot-vm
- Region: (US) West US 3
- Availability options: No infrastructure redundancy required
- Security type: Standard
- Image: Windows 10 Pro, version 22H2 - x64 Gen2 (free service eligible)
- Size: Standard_B1s - 1 vcpu, 1 GiB memory ($7.59/month) (free service eligible)
- Create your own username and password
Instance Details
5. Leave Disks tab as it is > Next Networking
6. In the Networking tab:
- Change NIC network security group: Advanced
- Configure network security group: create new
- Delete the default inbound rule
- Add an inbound rule:
- Destination port ranges: * (meaning everything)
- Priority: 100
- Name: DANGER
Create a new inbound rule
7. Click Review + create at the bottom left corner > create
Review + create
8. Successfully deploy a honeypot machine
Honeypot Machine Created
Creating a Log Analytics Workspace
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Log Analytics workspaces and click it > Create
2. In the Basic tab - Select Resource group and Change instance details:
- Resource group: Lab-Honeypot
- Name: law-honeypot
- Region: West US 2
Create Log Analytics Workspace
3. Click Review + create at the bottom left corner > create
4. Successfully created a Log Analytics Workspace
Successfully created Log Analytics Workspace
Enable Log Gathering with Microsoft Defender for Cloud
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Microsoft Defender for Cloud
2. On the left side, Click on Environment settings under Management > click on Azure subscription 1 > law-honeypot
Navigating in Microsoft Defender for Cloud
3. Turn on Servers and leave SQL servers on the machine off > save
Settings | Defender Plans
4. Click on Data Collection on the left > Click on All events> save
Settings | Defender Collection
Connecting Log Analytics Workspace to the Virtual Machine
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Log Analytics workspaces
2. Click on law-honeypot > Scroll down on the left bar > click on Virtual machine (deprecated) under Classic
law-honeypot | Virtual machines (deprecated)
3. Click on connect
Successfully Connected our Log Analytics Workspace and VM (deprecated)
Setup Microsoft Sentinel
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Microsoft Sentinel > Create
2. Pick law-honeypot to add Microsoft Sentinel to a workspace > add
Successfully Added Sentinel to our Workspace (deprecated)
Description:
The project's initial phase entails the establishment of an Azure account, coupled with the activation of a free subscription. Subsequently, we proceed with the configuration of a Virtual Machine to fulfill the project's objectives. Initiate the process by establishing a log analytics workspace with concurrent log-gathering activation. Next, establish connectivity between the log analytic workspace and the virtual machine. To culminate the setup, configure Microsoft Sentinel to visualize the attack data and function as a Security Information and Event Management (SIEM) solution.
Creating an Azure Account
Sign in or create a new account for Azure Trial.
After the subscription is created, head to Azure Portal and select the account that has been associated with the trial subscription.
Creating a Virtual Machine
This is the machine that will be exposed to the attackers. (The Honeypot Machine)
Search Bar - Virtual Machines
2. Create > Azure virtual machine
Create a Virtual Machine Page
3. Create a new resource group and name it: Lab-Honeypot
Create a new resource group
4. In the Basic tab - Change instance details: - Virtual machine name: honeypot-vm - Region: (US) West US 3 - Availability options: No infrastructure redundancy required - Security type: Standard - Image: Windows 10 Pro, version 22H2 - x64 Gen2 (free service eligible) - Size: Standard_B1s - 1 vcpu, 1 GiB memory ($7.59/month) (free service eligible) - Create your own username and password
Instance Details
5. Leave Disks tab as it is > Next Networking 6. In the Networking tab: - Change NIC network security group: Advanced - Configure network security group: create new - Delete the default inbound rule - Add an inbound rule: - Destination port ranges: * (meaning everything) - Priority: 100 - Name: DANGER
Create a new inbound rule
7. Click Review + create at the bottom left corner > create
Review + create
8. Successfully deploy a honeypot machine
Honeypot Machine Created
Creating a Log Analytics Workspace
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Log Analytics workspaces and click it > Create 2. In the Basic tab - Select Resource group and Change instance details: - Resource group: Lab-Honeypot - Name: law-honeypot - Region: West US 2Create Log Analytics Workspace
3. Click Review + create at the bottom left corner > create 4. Successfully created a Log Analytics Workspace
Successfully created Log Analytics Workspace
Enable Log Gathering with Microsoft Defender for Cloud
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Microsoft Defender for Cloud 2. On the left side, Click on Environment settings under Management > click on Azure subscription 1 > law-honeypotNavigating in Microsoft Defender for Cloud
3. Turn on Servers and leave SQL servers on the machine off > save
Settings | Defender Plans
4. Click on Data Collection on the left > Click on All events> save
Settings | Defender Collection
Connecting Log Analytics Workspace to the Virtual Machine
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Log Analytics workspaces 2. Click on law-honeypot > Scroll down on the left bar > click on Virtual machine (deprecated) under Classiclaw-honeypot | Virtual machines (deprecated)
3. Click on connect
Successfully Connected our Log Analytics Workspace and VM (deprecated)
Setup Microsoft Sentinel
1. In [Azure Portal](https://portal.azure.com/?quickstart=true#home) search bar, search: Microsoft Sentinel > Create 2. Pick law-honeypot to add Microsoft Sentinel to a workspace > addSuccessfully Added Sentinel to our Workspace (deprecated)
