Project Archives

REPORT_01

Azure SOC & Honeypot

Threat Intelligence & SIEM Engineering

INITIALIZE BRIEFING →

[ Deployment Pending ]

Azure SOC & Honeypot Monitoring Environment

I. Project Overview

This project involved the end-to-end deployment of a Security Operations Center (SOC) framework within Microsoft Azure. By engineering a deliberately insecure Windows 10 endpoint (CORP-LOCAL3) to serve as a Honeypot, I captured and analyzed real-world RDP brute-force attacks. The project culminated in the ingestion of security telemetry into Microsoft Sentinel (SIEM) for live monitoring and threat intelligence gathering.

II. Technical Architecture

1. Infrastructure Deployment (Azure)

Virtualization: Provisioned a Windows 10 instance (CORP-LOCAL3) acting as the primary target for external reconnaissance.
Networking & Exposure: Configured the Network Security Group (NSG) with an inbound security rule allowing all traffic. This effectively bypassed the Azure perimeter, exposing the VM to the public internet.
Internal De-Hardening: Utilized PowerShell to disable the local Windows Firewall and guest OS security features.

2. SIEM & Log Pipeline Engineering

Log Analytics Workspace (LAW): Established a central repository to aggregate logs and stream Event Viewer data.
Microsoft Sentinel: Connected Sentinel to the LAW to watch for Event ID 4625 (failed login attempts).
Custom Data Parsing: Developed KQL queries to extract the Latitude, Longitude, and Source IP of attackers.

SecurityEvent | where EventID == 4625 | extend Attacker_IP = SourceIP | summarize Count = count() by Attacker_IP, Account, Computer | order by Count desc

3. Analysis & Observation

Discovery: Within 60 minutes, the environment identified automated scanning and active brute-force attempts.
Profiling: Observed attackers using common admin usernames and rotating through thousands of password variations.

III. Core Competencies

■ SIEM: Microsoft Sentinel / LAW
■ Cloud: Azure VM, Networking, NSG
■ Query Language: KQL (Kusto)
■ Concepts: Honeypots & Intelligence

IV. Key Takeaways

Visibility: Sentinel transformed raw logs into actionable intelligence.
Automation: Internet resources are discovered by botnets in under 1 hour.