Scribd
Upload
26 views

Building A SOC + Honeynet in Azure

Honeynet in Azure

Uploaded by

daniel.trindade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Building A SOC + Honeynet in Azure

Honeynet in Azure

Uploaded by

daniel.trindade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Building a

SOC +
Honeynet in
Azure
By odiraonodugo

Edited by www.purplehackademy.com
SOC-Cybersecurity-Project

Building a SOC + Honeynet in Azure


(Live Traffic)

Introduction
In this project, I build a mini honeynet in Azure and ingest log sources from various
resources into a Log Analytics workspace, which is then used by Microsoft Sentinel to
build attack maps, trigger alerts, and create incidents. I measured some security
metrics in the insecure environment for 24 hours, apply some security controls to
harden the environment, measure metrics for another 24 hours, then show the
results below. The metrics we will show are:

• SecurityEvent (Windows Event Logs)


• Syslog (Linux Event Logs)
• SecurityAlert (Log Analytics Alerts Triggered)
• SecurityIncident (Incidents created by Sentinel)
• AzureNetworkAnalytics_CL (Malicious Flows allowed into our honeynet)

Architecture Before Hardening / Security Controls


Architecture After Hardening / Security Controls

The architecture of the mini honeynet in Azure consists of the following components:

• Virtual Network (VNet)


• Network Security Group (NSG)
• Virtual Machines (2 windows, 1 linux)
• Log Analytics Workspace
• Azure Key Vault
• Azure Storage Account
• Microsoft Sentinel

For the "BEFORE" metrics, all resources were originally deployed, exposed to the
internet. The Virtual Machines had both their Network Security Groups and built-in
firewalls wide open, and all other resources are deployed with public endpoints
visible to the Internet; aka, no use for Private Endpoints.

For the "AFTER" metrics, Network Security Groups were hardened by blocking ALL
traffic with the exception of my admin workstation, and all other resources were
protected by their built-in firewalls as well as Private Endpoint

Attack Maps Before Hardening / Security Controls


Metrics Before Hardening / Security Controls
The following table shows the metrics we measured in our insecure environment for
24 hours: Start Time 2023-05-04 13:41:13 Stop Time 2023-05-05 13:41:13

Metric Count

SecurityEvent 28160

Syslog 5023

SecurityAlert 197

SecurityIncident 6

AzureNetworkAnalytics_CL 674

Attack Maps Before Hardening / Security Controls


All map queries actually returned no results due to no instances of malicious
activity for the 24 hour period after hardening.
Metrics After Hardening / Security Controls
The following table shows the metrics we measured in our environment for another
24 hours, but after we have applied security controls: Start Time 2023-05-06 09:12:53
Stop Time 2023-05-07 09:12:53

Metric Count

SecurityEvent 11292

Syslog 25

SecurityAlert 0

SecurityIncident 0

AzureNetworkAnalytics_CL 0

SecurityEvent (-98.27%) ,

Syslog (-100%) ,

SecurityAlert (-100%) ,

SecurityIncident (-100%) ,

zureNetworkAnalytics_CL (-100%) ,

Azure Secure Score: 30% to 77%

Conclusion
In this project, a mini honeynet was constructed in Microsoft Azure and log sources
were integrated into a Log Analytics workspace. Microsoft Sentinel was employed to
trigger alerts and create incidents based on the ingested logs. Additionally, metrics
were measured in the insecure environment before security controls were applied,
and then again after implementing security measures. It is noteworthy that the
number of security events and incidents were drastially reduced after the security
controls were applied, demonstrating their effectiveness.

It is worth noting that if the resources within the network were heavily utilized by
regular users, it is likely that more security events and alerts may have been
generated within the 24-hour period following the implementation of the security
controls.

You might also like