This project demonstrates the design and deployment of a cloud-based honeypot on Microsoft Azure to simulate real-world cyber attacks and analyze them using Azure Log Analytics and Microsoft Sentinel (SIEM).
A publicly exposed Azure Virtual Machine was intentionally configured with all inbound ports open to attract malicious traffic. The generated security logs were collected, analyzed, and visualized to identify attacker behavior, IP addresses, and event patterns using KQL (Kusto Query Language).
- Simulate real-world attack scenarios in a cloud environment
- Collect and analyze security logs using SIEM
- Identify attacker IPs, Event IDs, and attack trends
- Gain hands-on experience with Azure security monitoring
- Microsoft Azure
- Azure Virtual Machine (Windows Server 2025)
- Network Security Groups (NSG --> Configure to allow all incoming connections on all ports)
- Log Analytics Workspace( Used to collect and store logs)
- Microsoft Sentinel (SIEM)
- KQL (Kusto Query Language)
- Azure VM deployed with a public IP
- NSG configured to allow all inbound traffic
- Logs forwarded to Log Analytics Workspace
- Microsoft Sentinel connected to the workspace
- KQL queries used for log analysis
Check the /architecture folder for more detailed configuration
📷 (Architecture diagram available in /architecture folder)
SecurityEvent
| where EventLevelName == "Error"
| summarize count() by IPAddress
| order by count_ desc