This project did not take long to implement, but it gave me valuable skills. Essentially, it is setting up a honey pot on the internet, and whenever someone tries to log in and fails, it logs that down. I can obtain their IP address and map their location with the log information. This was implemented in Microsoft Azure!
First things first, I set up a Microsoft Azure account. If it is your first time signing up, Microsoft does give you a free 200$ credit you can use. I used that and didn't use all of it; it's pretty neat.
We then create the honey pot and deactivate all of its firewall settings. This ensures the VM is discoverable and enticing for somebody trying to get in. I set up a very secure password to ensure no break-ins are possible!
After the VM is set up, we run Powershell ISE and plug in the code to check the event viewer for failed login attempts (ID 4625). This runs consecutively, and if it captures anything, it sends it over to log analytics
This is where the fun begins; it sends the information, including everything from the longitude and latitude to the country of origin. We take this raw data and filter it out in log analytics. This is then sent to sentinal, where it is finally mapped out. If you're curious about the error, that is because I ran out of IP calles. In the next image you can see why lol.
Mapping the information out wasn't hard; you create and add a new workbook, and then it can map it out for you! This part is also funny to me because I left the VM to run and I come back to find that 3 bots where trying to bruteforce thier way into my VM. They tried at least 2.5k of those attempts.s They eventually used up all my API calls for GEOIP and thats why it would give me that error.
This project was a little programming, except for SQL and some Java, but it was reasonably straightforward. The tutorial I went through was outdated, so some things changed. If you would like to do this project, here is the link: https://www.youtube.com/watch?v=RoZeVbbZ0o0\&t=2759s If you have any questions, please don't hesitate to contact me. I struggled through the part where he pares the raw data, as Azure changed the Custom Log part.