Building a SIEM & using a VM as a Honeypot.

In my latest project I created a SIEM by using Azure Sentinel and using a VM as a Honeypot from here I was able to log information into my SIEM of real live attacks occurring inside the honeypot.

In my first Image I was able to create the VM by using Azure. After that I disabled the firewalls, and allowed all access to the VM since it would be used as a honeypot for attackers.

Once I created my VM and configured the settings, I then entered the VM by using Remote Desktop, I turned off the firewalls inside of the VM.

Once I completed the Security configurations, I then started to run a power shell script to extract meta data from windows event viewer to be forwarded to a third party API in order to drive Geolocation data shown below by intentionally using a incorrect password to enter the VM.

After I completed these steps I went into Azure sentinel to track my security logs and It ended with over 2500 security events in just over 2 hours.

Thank you all for tuning in ! This was a very good project to give me more knowledge and understanding of how to build SIEM’s, Honeypots, VM’s and how they can all be used as one and connect with each other.