Forem: Quincy Ouko

Deploying a Honeypot SOC with Microsoft Sentinel

Quincy Ouko — Thu, 11 Sep 2025 10:52:31 +0000

This project will explain how to setup a basic SOC using Azure. We shall setup a honeypot VM the forward the logs generated to central repository. We shall then integrate Microsoft Sentinel to analyze the attack data.

Prerequisite
Azure free subscription account.

Create Resource Groups & Virtual Network
We shall create a Resource Groups leaving all the configurations as default. For our case it will be my-first-rsg on Central India region.
We shall then create a Virtual Network (Vnet) my-first-vnet under the Resource Group we earlier created, leaving all the configurations as default. This has be under the same region which is Central India.

As shown in the image above, we will create a virtual machine named DataAnalysis-Server running a Windows Server 2019 Datacenter OS. We shall use size Standard B2S for the purpose of this project.

Once you're done with the configuration, you can deploy your newly created virtual machine as shown above.

From the Resource Groups, we will modify the Network Security Group. We will delete the default Remote Desktop Protocol (RDP) rule and we will create a new rule that opens all ports from any source. We shall name this rule DangerAllPortsAllowed as shown above.

Using Windows Remote Desktop Protocol (RPD), input the IP Address, username and password to log into the newly created virtual machine.

In the VM, open Windows Firewall and turn off all the Windows Defender Firewall Properties as shown above.

We can confirm if the VM is reachable by pinging it from our local machine as shown above.

We then create a Log Analytics workspace to collect our VM logs.

We will then create a Microsoft Sentinel and add the newly created Log Analytics workspace we just created.

On the Microsoft Sentinel page, under Content management on the Content hub. We will search and install the Windows Security Events tool which will allow us to connect the Log Analytics workspace to our newly created VM as shown above.

We shall then configure the Windows Security Events via Azure Monitoring Agent (AMA).

We will then create a data collection rule that our VM will use to forward logs into our Log Analytics workspace which eventually allows us to access them in our SIEM. Once this is done, we can switch back to the Azure VM window and on our VM under Settings: Extensions + applications we should start see the AMA installed.
Once this is properly configured, we can query the logs using KQL as shown below.

We check back two hours later and we can see thousands of login attempts on our virtual machine.

We can try query the last one minute to see how many attacks we record per minute.

And we can see 9 failed login attempts to our virtual machine in the last minute.
We will then create a Watchlist in the Microsoft Defender portal and upload the geographically mapped ip address spreadsheet: geoip-summarized.csv. Once uploaded the document should be as shown below.

Using a simple KQL query we can get to highlight one specific attacker from Netherlands who has tried to login to the computer over 900 times as seen below.

We will create a Sentinel workbook in order to plot the attack in a bar graph. We will then use the JSON query as shown on the image below.

We can visualize the data as a bar graph using the workbooks.

Conclusion
It is very important to always install your security updates as soon as they become available.
Only open necessary ports for the time you need it for.

Crafting a Scalable Three-Tier Architecture Demonstrating Blue-Green Deployment

Quincy Ouko — Fri, 02 May 2025 23:06:41 +0000

Create a VPC
We start by creating a VPC, Subnets, Internet Gateway and Route Tables.
Below is how I allocated Ip Addresses to the VPC and each subnet.

VPC 10.0.0.0/16
10.0.1.0/24 - public subnet1
10.0.2.0/24 - public subnet2
10.0.3.0/24 - private subnet1
10.0.4.0/24 - private subnet2

Create a Bastion Server

Create a Bastion that can only be accessed via SSH from your device IP Address and launch it. This highly improves security of your architecture.

Create the Database Security Group

Create the security group from the DB port 3306 to both the public subnets then create another rule for SSH only from the Bastion server we earlier created. This allows SSH connection only from the Bastion server improving security of the DB server.

Create a Database

We start by creating a subnet group with the two private subnets we earlier created. Then we create an SQL database placing it in the subnet group we created.

We created an extra private subnet just to use it to create a subnet group but for this project we only need one.

Create a Control Server
We will use the control server to test the connection to the database before we deploy the image.
We will install php, php-mysqli and mysql-server on the control server.

Establish Connection to the SQL Database through SQL Workbench
We will now establish a connection to the database through the Bastion host we created. We will use MySQL Workbench to establish this connection.

Test the database by add users and marking their attendance
I added three users under the AWS SAA track and I was able to check their attendance.
Generating the report is proof that the application is communicating with the database.

Create an Image (AMI) of the Control Server
We create an image of the control server. At this point we can get rid of the control server since we will only make use of the it's AMI.

Create a launch template from the AMI
We need a launch template since we can specify the launch configurations like security groups before we launch the instances from the image.

Create a Target Groups
This will allow us to route traffic to the instances we will create based on our rules.
We will then edit the listener port, port 80 and allow both the two target groups to use the same port.

Create an Autoscaling Group
We will create the autoscaling group and attached then to the target groups we created.

While creating the autoscaling group, we will specify the desired capacity as 3, minimum capacity as 2 and maximum capacity as 5.

The instances should be created as shown below.

To access the machines created, you will use the DNS of the load balancers. As shown with the DNS address below. We can also see that the records we took before creating the launch templates are also present.

Create CloudWatch Alarms
This will inform the instances when to add or delete using specified parameters.
We will create two EC2 alarms by Autoscaling. We will use CPU Utilization as the preferred metrics from both. For high utilization the threshold will be 75% and for low the threshold will be 25%.

We will enable dynamic scaling and enable simple scaling.
This will use the threshold we defined above to add or remove instances.

Demonstrate Blue-Green Deployment
We can do this under load balancers. We edit listeners traffic flow in different targets.

For instance, we are doing an update on Target-1, we will send all the traffic on target-2 and once we are done with the update we can send traffic to target-1. The now updated site.

SNS Notification (Optional)
You can also configure SNS notification to alert you on any threshold you go past. This will help during cost optimization since you will be able to monitor your cost.

Conclusion
Building a three-tier architecture with blue-green deployment in mind enhances scalability and security while minimizing downtime. This approach streamlines updates, ensuring a seamless user experience and effective use of resources.

How I used Amazon QuickSight to Visualize Data

Quincy Ouko — Mon, 21 Apr 2025 11:12:34 +0000

Upload your dataset and the 'manifest.json' file into S3

S3 is used in this project to store my dataset and manifest.json file.
I edited the manifest.json file by updating the S3 URL of my dataset.
It's important to update this file so that the manifest.json file won't be pointing to the wrong address.

Updated manifest.json file.

Here is my bucket with CSV and manifest files.

Create your Amazon QuickSight account

QuickSight account is free to create and the free trial lasts for 30 days. It took about 2 minutes to create.
I also had to enable QuickSight's access to S3 because my dataset is stored in a S3 bucket and specific access is required to access my dataset.

I created a QuickSight account

Why was the manifest file important

The manifest.json file was important in this step because it acts as a map to guide QuickSight on where the file is located and how it should classify the data

Let's make visualizations

To create visualization on QuickSight you will have to drag fields you want to visualize into the QuickSight AutoGraph field.
The graph shown here is a breakdown of movies vs tv shows released each year. I created this graph putting the release year on the Y axis and making the type movie/tv show the grouping variable.

My first visualization

Using filters

Filter are useful for specifying data that you want to analyze. Here I added a filter by excluding movies and tv shows released before 2015.
This helped me create a visualization on movies released from 2015 onwards.

Visualization after filtering

Set up your dashboard

As a finishing touch, I edited titles of my graph so that the charts are readable.
Did you know you could export your dashboard as a PDF file? I did this by publishing the dashboard and clicking the export function.

My Key Learnings

QuickSight is a quick data visualization service.
QuickSight makes data visualization easy especially using a drag and drop feature.

Final Thoughts

Always clean up your project to keep it under free tier account :)
Now that I know how to use QuickSight, in the future i'd use it to practice data visualization using other types of data.
An area of data visualization i'd like to explore is making animated presentation with the data.

Creating a Static Website Using S3 and CloudFront

Quincy Ouko — Sat, 05 Apr 2025 12:04:32 +0000

The objective of the project is to host my CV as a static HTML website using S3 and CloudFront.

The image above outlines the project workflow.

I started by creating an S3 bucket with public access policy enabled then I upload my CV document as an HTML file.
I then navigated to the CloudFront Console, created a new distribution and set the Origin Domain as the bucket created above. I then changed the Origin access from Public to Origin access control settings (OAC). Afterwards, I created a new OAC and selected it.
I created the distribution the copied the CloudFront OAC to the bucket policy. This is as shown in the figure below.

Once, that finished propagating, I copied the link to test my website.

As the image above displays, the project objective was archived.

Lessons Learned:

Uploading a website on S3 allows you to easily edit and update it.
S3 hosted website can be accessed from any browser.
CloudFront ensure low latency

Conclusion:
You can successfully host a static website on S3 even without having a domain.