I’ve decided to turn my VM into a honeypot, to see exactly what I can see in OMS once a VM is compromised. I’ve gone into Azure and removed the network security group for the VM. I’ve also set the administrator password to be blank.
I’m seeing attacks on my server, but nothing is showing up under threat intelligence. I’m going to try and enable Wire Data solution to see if that provides the needed information. (SPOILER: it will. If you look at the queries related to the Threat Intelligence dashboard, they all make use of a type called WireData)
In you workspace, click the Solutions icon.
Scroll over until you find the Wire Data 2.0 solution and select it.
The wire data solution consolidates network and performance data from computers with OMS agents.
Click the Add button to add this solution to your workspace. Back on the main workspace page, click the Settings button. Under Installed Solutions, select the Wire Data 2.0 solution.
This will open the Wire Data 2.0 solution. Click the Configure button at the top of the solution to review the configuration information.
Looks like I need to install an agent on any server I want to pull wire data information from. The first step is to download the agent and copy it to the appropriate server. After that it is just click, click, install.
Once the agents are installed and begin reporting data back to OMS, the Wire Data solution lights up in my workspace.
I can drill down into the solution to see the detailed information being collected.
And now with the addition of the Wire Data 2.0 solution, I’ve got threat detection working in my Security and Compliance solution.
As you can see from the above images, I have a computer from the Ukraine that is trying to hack into my honeypot server. Just wait, in my next post, my machine is going to get fully compromised, and while that is scary, the amount of information OMS will give you will be pretty amazing.