As a first step we will create an account within ipgeolocation. Once created, we access the dashboard where the API Keys section will appear, which is what we will copy later to our script inside the virtual machine in Azure. Go to https://app.ipgeolocation.io/login

• If you do not have a Microsoft Azure account go to the following address. https://portal.azure.com/
• Microsoft will welcome you with an initial credit of $200.00, which is valid for 30 days (Friendly reminder, always remember to delete your labs).

Follow the instructions shown in the following images.

For this exercise remember to set a very strong password with a strong complexity.

Leave the default values until you reach the Networking section.

Once in the networking section, click on the NIC network security group section and select the Advanced option. Click on the create new option.

In the Create a Network Security Group section, enter the name of the group as you want it. In the Incoming Rules section delete the incoming rule you will see there.

It is time to create an inbound rule, for this purpose, in the Destination port ranges section we will place asterisk (*). In the Priority section we will put 1000 and in the Name section we will give the name to the rule as we want it to appear.

This is how our newly created rule should look like.

Finally we will create our virtual machine and we can wait or continue with the next section while it is up.

As mentioned above, we can go step by step or we can go ahead by creating our Log Analytics Workspaces. Once inside we click on the Create button.

We select our Resource group, name our instance and select the same region we have been working in for our example case West US 3.

Here we go, click on the create option and wait.

We take our first steps through Sentinel to start working the environment.

We are heading to Defender Plans. And Check proceed to give check on Servers if is off.

Then we go to Data Collections and click on the option All Events

Look for the Virtual Machines (deprecated) option and double click on it.

We connect our machine.

It is time to connect to our virtual machine, if you do not know the public IP used, go to the virtual machines section where you can get it.

When you log in for the first time, turn off all privacy settings that come with Windows by default. In other words click NO for each of the features and then click Accept.

Go to Windows Firewall and turn everything off.

Download the ipgeo_ps.ps1 file from the following address.

• https://github.com/Drakk90/SENTINEL_HONEYPOT/blob/main/src/ipgeo_ps.ps1
• Run Power Shell ISE as Administrator, open the newly downloaded file, modify the file by inserting your API key created earlier. Click on the RUN option and watch the magic.

As a last step proceed to run Command Prompt on your local machine and verify that you have PING.

By this time your Log Analytics is already created, go to the Tables section.

Click on the Create option, select the New Custom log (MMA-Based) option.

Enter the name of the log, which is being captured in the virtual machine, the name of the file can be found in the file with extension *.ps1

Select the Operating System and enter the path to the file and the file name, please remember this is Case Sensitive so enter it exactly the same.

Give a name to the custom log.

For this proof of concept we are capturing all events of type 4625, if you go to your Event Viewer inside your virtual machine you will be able to check this.

Wait about 10 minutes while your newly created log is displayed in Analytics and run the log you just created.

Some time ago there was the option to make extracts from a log, but that option disappeared, so now we proceed to do it through a query. You can find the query at the following address.

• https://github.com/Drakk90/SENTINEL_HONEYPOT/blob/main/src/IPGeo_Sentinel.sql
• Run the query on Analytics.

We go to Microsoft Sentinel and click on the Workbooks section.

We edited our Workbook.

Remove all elements of the workbook.

We paste our previous query.

We enter Map Settings and modify some of our elements taking as reference the image shown below.

We continue with our settings.

Save as.

Set the Autorefresh every 5 minutes.

We wait a few hours and the results will be as shown below.

This manual is designed to help creating your first project on Azure Sentinel and create your virtual Machine, please remember delete all the created instances on Azure if you want to avoid problems with your monthly billing.

Some base codes and templates are from Josh Madakor.