Update README.md

2025-07-01 18:08:32 +00:00 · 2025-07-01 18:08:32 +00:00 · 76c5fdbd81
commit 76c5fdbd81
parent 54b52c229e
1 changed files with 251 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,253 @@
 # azure_soc
 # azure_soc
 # Azure Sentinel Honeypot with Geographic Attack Visualization
 A cybersecurity project demonstrating the deployment of a Windows honeypot in Azure with real-time attack monitoring and geographic visualization using Azure Sentinel.
 ## Project Overview
 This project creates a vulnerable Windows virtual machine (honeypot) in Azure to attract malicious actors, then uses Azure Sentinel to collect, analyze, and visualize security events with geographic context. The setup monitors failed RDP login attempts and displays attack origins on an interactive world map.
 ## Architecture
 - **Azure Subscription**: Cloud platform hosting all resources
 - **Resource Group**: Container for project resources
 - **Virtual Network**: Isolated network environment
 - **Windows VM (Honeypot)**: Intentionally vulnerable target system
 - **Log Analytics Workspace**: Centralized log collection and analysis
 - **Azure Sentinel**: SIEM solution for threat detection and visualization
 - **Geographic Data Integration**: IP-to-location mapping for attack visualization
 ## Prerequisites
 - Active Azure subscription
 - Basic understanding of Azure services
 - RDP client for VM access
 - PowerShell/Azure CLI (optional)
 ## Implementation Steps
 ### 1. Initial Azure Setup
 #### Create Resource Group
 1. Navigate to Azure Portal
 2. Create new Resource Group
 3. Select appropriate region
 4. Name the resource group (e.g., `honeypot-rg`)
 #### Create Virtual Network
 1. Create Virtual Network in the same resource group
 2. Configure address space (e.g., 10.0.0.0/16)
 3. Create subnet for VM placement
 4. Use default DNS and security settings
 ### 2. Honeypot VM Deployment
 #### VM Configuration
 1. Create new Windows Virtual Machine
 2. **VM Details:**
   - Name: `honeypot-vm`
   - Username: `naxslabs`
   - Password: `Password123!`
   - Size: Standard B2s (or similar)
 3. Place in created resource group and virtual network
 4. Configure networking settings
 ![Current Resource Group](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/az-nxs-rg.png)
 #### Security Configuration (Intentionally Permissive)
 1. **Remove default RDP rule** from Network Security Group
 2. **Create new inbound rule:**
   - Source: Any (0.0.0.0/0)
   - Destination: Any
   - Protocol: Any
   - Action: Allow
   - Priority: 100
   - Name: `HoneyPot-AllowAnyCustomAny`
 *[Screenshot: NSG rule configuration]*
 ![NSG Rule](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/permissive-nsg.png)
 ### 3. Disable Defender Firewall
 #### Access VM via RDP
 1. Connect to VM using public IP
 2. Login with credentials: `naxslabs` / `Password123!`
 #### Disable Windows Firewall
 1. Open Windows Defender Firewall
 2. Turn off firewall for all network profiles:
   - Domain network
   - Private network  
   - Public network
 ![Firewall Disabled](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/rdp_disable_defenderfw.png)
 ### 4. Generate Test Security Events
 #### Failed Login Attempts
 1. Attempt RDP connections with incorrect usernames
 2. Try various common usernames (admin, administrator, guest, etc.)
 3. Generate multiple failed login events
 #### Verify Event Generation
 1. Open Event Viewer on honeypot VM
 2. Navigate to Windows Logs > Security
 3. Filter for Event ID 4625 (Failed logon attempts)
 4. Verify events are being generated with source IP addresses
 ![Event Viewer showing 4625 events](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/eventviewer-security-log.png)
 ### 5. Log Analytics Workspace Setup
 #### Create Log Analytics Workspace
 1. Create new Log Analytics Workspace
 2. Place in same resource group
 3. Select appropriate region and pricing tier
 ![Create Log Analytics Workspace](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/log-analytics-workspace.png)
 ### 6. Azure Sentinel Configuration
 #### Enable Sentinel
 1. Navigate to Azure Sentinel
 2. Connect Sentinel to the Log Analytics Workspace
 3. Wait for deployment to complete
 ![Add Sentinel to a Workspace](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/sentinel.png)
 #### Install Data Connectors
 1. Go to Sentinel > Content Hub
 2. Install **Windows Security Events** connector
 3. Install **Azure Monitor Agent (AMA)** connector
 4. Configure connectors to collect Security Events
 ![Deploy AMA](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/az-monitoring-agent.png)
 ### 7. Geographic Data Integration
 #### Create Watchlist for GeoIP Data
 1. Prepare CSV file with geographic IP data containing:
   - IP ranges or specific IPs
   - Country codes
   - Latitude/Longitude coordinates
   - City/Region information
 2. **Upload Watchlist:**
   - Navigate to Sentinel > Configuration > Watchlists
   - Click "Add new"
   - Name: `geoip`
   - Alias: `geoip`
   - Upload the CSV file
   - Set search key to network
 #### Verify Watchlist Data
 1. Wait for upload completion
 2. Test watchlist query: `_GetWatchlist("geoip")`
 3. Verify data is accessible in KQL queries
 ### 8. Attack Visualization Workbook
 #### Create Custom Workbook
 1. Navigate to Sentinel > Threat Management > Workbooks
 2. Click "Add workbook"
 3. Remove default template items
 4. Add new query visualization
 *[Screenshot: Workbook creation]*
 #### Configure Map Visualization
 1. **Add Query Component:**
   - Click "Add" > "Add query"
   - Select "Advanced Editor"
   - Paste custom KQL query (See JSON file)
 ![Attack Map](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/AttackMap.png)
 ```
 #### Save and Configure Workbook
 1. Save workbook to appropriate region
 2. Set auto-refresh intervals
 3. Wait for login failures or simulate using a vpn
 4. Test map functionality
 ```
 ![Failed Logins](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/failed-logins.png)
 ## Monitoring and Analysis
 ### Key Metrics to Monitor
 - Failed RDP login attempts (Event ID 4625)
 - Source IP geographic distribution
 - Attack frequency patterns
 - Common username attempts
 - Time-based attack trends
 ### Sample Query
 ![GEOIP](https://git.naxslabs.com/darnellkeith/azure_soc/raw/branch/main/images/geoip.png)
 ## Security Considerations
 ⚠️ **Warning**: This project intentionally creates vulnerable infrastructure for educational purposes.
 ### Important Notes
 - **Never use this setup in production environments**
 - Monitor costs as honeypots can generate significant traffic
 - Regularly review and clean up resources
 - Be aware of any potential legal implications in your jurisdiction
 ### Cleanup Recommendations
 1. Delete resource group when project is complete
 2. Verify all associated resources are removed
 3. Check for any remaining charges
 ## Troubleshooting
 ### Common Issues
 - **No attack data appearing**: Verify NSG rules are permissive enough
 - **Missing events**: Confirm AMA agent is installed and data collection rules are active
 ### Verification Steps
 1. Check VM is accessible via RDP from internet
 2. Verify Event ID 4625 events in Windows Event Viewer
 3. Confirm data flowing to Log Analytics Workspace
 4. Test watchlist queries in Sentinel
 This project demonstrates:
 - Real-world attack patterns and frequencies
 - Geographic distribution of cyber threats
 - Effectiveness of Azure Sentinel for threat monitoring
 - Importance of proper security configurations
 ## Next Steps
 ### Potential Enhancements
 - Add additional honeypot services (SSH, HTTP, etc.)
 - Implement automated threat response
 - Create custom analytics rules
 - Integrate with threat intelligence feeds
 ### Learning Outcomes
 - Hands-on experience with Azure security services
 - SIEM configuration and log analysis skills
 - Network security and monitoring concepts
 **Disclaimer**: This project is for educational and research purposes only. Always follow responsible disclosure practices and comply with applicable laws and regulations.