SIEM | Honeypot RDP Home Lab

Description

Project consisted of setting up Microsoft Sentinel in Azure (SIEM). I connected the SIEM to a live virtual machine configured as a honeypot. I observed live attacks from all over the world that were logged as audit failures (RDP brute force attacks) on the VM. I utilized a custom PowerShell script to identify attackers' geolocation information and plotted it on the Microsoft Sentinel map.

Languages and Utilities Used

• PowerShell
• SIEM
• Microsoft Sentinel
• Honeypot
• Remote Desktop Protocol

Environments Used

• Windows 11
• Virtual Machine

Project Walk-through:

Create Virtual Machine in Azure:


Create Log Analytics Workspace:


Connect VM to Log Analytics:


Observe Event Viewer Logs in VM:


Turn off Firewall on VM to expose VM to internet (honeypot):


Ping VM IP from Command Prompt:


Link Geolocation.io API Key:


Modify Log Analytics Custom Fields to Train the Algorithm to Pull Correct Latitude and Longitude Data Points:


Extract Fields from Raw Custom Data Log:


Set up Map Query in Sentinel with Latitude and Longitude :


Configure Map Settings in Sentinel to Pin Failed Login Attempts on Map:


Final Failed Login count data (VM was live for only a few hours):