Building a SOC Honeynet in Azure


In this project, I build a mini honeynet in Azure and ingest log sources from various resources into a Log Analytics workspace, which is then used by Microsoft Sentinel to build attack maps, trigger alerts, and create incidents. I measured some security metrics in the insecure environment for 24 hours, apply some security controls to harden the environment, measure metrics for another 24 hours, then show the results below. The metrics we will show are:

  • SecurityEvent (Windows Event Logs)
  • Syslog (Linux Event Logs)
  • SecurityAlert (Log Analytics Alerts Triggered)
  • SecurityIncident (Incidents created by Sentinel)
  • AzureNetworkAnalytics_CL (Malicious Flows allowed into our honeynet)

Leave a Reply

Your email address will not be published. Required fields are marked *