International Research Journal of Engineering and Technology (IRJET) Volume: 11 Issue: 05 | May 2024
www.irjet.net
e-ISSN: 2395-0056 p-ISSN: 2395-0072
Using Azure Sentinel (SIEM) to track live cyber threats via Honey pot. Shivangi Gandhi1, Dinesh Kamani2, Sravan Gavara3, K.S Ayush 4 1
Assistant Professor, Dept. of computer science, Parul University, Gujarat, India 2345 UG student, Dept. of computer science, Parul University, Gujarat, India
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract – Data theft is a big problem in current tech world as many cyber threats are increasing day to day. How and why these thefts are happening after having some many protections in this modern world. In this paper we will begin by going over how we created the essential resource group for the honeypot. After that, we will walk you through setting up a log analytics workspace and a virtual honeypot computer to collect data from the honeypot. After the data has been collected, we will walk you through configuring Sentinel to interact with the Log Analytics Workspace and retrieve the information. Subsequently, we will utilize the IP geolocation of the unsuccessful login attempts from all across the world to create a Sentinel dashboard.
footprints in your home; you may use it to see if burglars are testing your home security by rattling your door locks.[4] Depending on the type of Honeypot system installed within infrastructure, its goal is to record any potential destructive action by an attacker. Honeypot systems can be used to detect several forms of malicious activity, including automated attacks by malicious bots, known vulnerability exploitation, web application attacks, and the exploitation of out-of-date software and systems.[5] Industrial control systems (ICT) are at much greater danger from cybersecurity threats in the last several years, mostly as a result of nation-states and cybercriminals becoming more active. Attackers are now more dangerous and skilled than ever, and it can be difficult to identify them in time for action.
Key Words: sentinel, Log Analytics workspace, honeypot, IP geolocation
1.1 Related Work
1. INTRODUCTION
Before We configured Azure Sentinel (SIEM) and linked it to an operational virtual machine that acts as a honeypot in order to finish this project. The project comprises of an Azure Sentinel on SIEM framework Cyber Attacks map configure the Azure Log Analytics Workspace so that geographic data from custom logs can be imported. (country, state or province, latitude, and longitude). to map geodata in Azure Sentinel, Log Analytics Workspace custom fields were arranged. Configure the Azure Sentinel spreadsheet (Microsoft's SIEM) to display global attack data (RDP brute force) based on the precise location and scale of the strike on a global map.[1][2][3] Any honeypot system's primary goal is to detect intrusions and gain detailed knowledge about them. It may also involve mitigating attacks. One method for a handful of these can be accomplished by integrating the honeypot idea into IDS and IPS.[6] A honeynet is an assortment of different honeypots. These are unique networks designed to entice potential attackers. A honeynet's purpose is to gather data regarding malicious activity. The investigators subsequently examine this recorded data to obtain the pertinent information.[5] SIEMs may typically gather, compile, store, and correlate events produced by a managed infrastructure. As they collect events from various sensors (firewalls, intrusion detection systems, antivirus software, etc.), correlate these events, and provide synthetic views of the alerts for threat handling and security reporting, they serve as the foundation of contemporary security operations centers [4,5]. Aside from these essential features, the current systems differ greatly from one another, which typically reflects the various markets in which SIEMs are found.
Using Microsoft's Azure platform, we will build up a lab for a honeypot in this project. We will also cover how to aggregate the data collected by the honeypot into Microsoft Sentinel a security information and event management (SIEM) application. A security tool called a honeypot is designed to entice and apprehend possible attackers by seeming to be a helpful network component. By putting up a honeypot lab on Azure, you can simulate a network environment and obtain insightful data about potential dangers and malicious activity. After the data has been collected, it can be sent to Microsoft Sentinel for analysis and storage. Sentinel is a cloud-based SIEM application that helps you monitor and manage security threats throughout your company.[1] The honeypot system records and tracks the movements of intruders within the system, sending the information to the system administrator and security staff who have deployed and set up the spyhole. The information gathered may be essential for establishing defenses against different kinds of attacks, particularly those that are more recent. The use of honeypots offers a practical way to improve a system's security and dependability and aids engineers, scientists, and researchers in developing a plan of defense against cyberattacks.[2] A honeypot is a security tool designed to be probed, attacked, or compromised. It was suggested that any interaction detected be automatically interpreted as malicious activity, and the administrator network uses the reports generated by the malicious source to ascertain the identity, reasons for the intrusion, and methods of the hacker.[3] A honeypot is akin to the wet cement used to find
© 2024, IRJET
|
Impact Factor value: 8.226
|
ISO 9001:2008 Certified Journal
|
Page 467