This project deploys a fully functional Security Operations Center (SOC) on Microsoft Azure - Active Directory, Microsoft Sentinel SIEM, Suricata IDS, Sysmon telemetry, and real attack simulation mapped to MITRE ATT&CK. Everything deploys via one PowerShell command and is open-sourced on GitHub.
What was built: 18 Azure resources, an AD domain with 11 users (including Kerberoastable service accounts), 10 MITRE ATT&CK techniques executed and detected, custom Sentinel analytics rules, and 65K+ Suricata IDS signatures - all running on a ~$3/session budget.
GitHub: https://github.com/anishvedant/AzureSOC
A SOC monitors infrastructure 24/7, watching log data for signs of attacks. The three core functions: detect suspicious activity, investigate what happened, and respond to stop it. This lab does all three using the same tools real enterprises use.
┌────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ (Your laptop at home) │
└──────────────────┬──────────────────────┬──────────────────────┘
│ RDP :3389 │ SSH :22 / HTTP :80
│ │
┌──────────────────┴──────────────────────┴──────────────────────────┐
│ Azure VNet: vnet-azuresoc (10.0.0.0/16) │
│ │
│ ┌────────────────────────────┐ ┌─────────────────────────────┐│
│ │ snet-dc (10.0.1.0/24) │ │ snet-splunk (10.0.2.0/24) ││
│ │ NSG: nsg-dc │ │ NSG: nsg-splunk ││
│ │ Allow: RDP, DNS, Kerberos, │ │ Allow: SSH, HTTP, ││
│ │ LDAP, SMB, LDAPS │ │ Splunk (8000/9997/8088) ││
│ │ │ │ ││
│ │ ┌──────────────────────┐ │ │ ┌──────────────────────┐ ││
│ │ │ vm-dc01 (10.0.1.4) │ │ │ │ vm-splunk (10.0.2.4) │ ││
│ │ │ Windows Server 2022 │ │ │ │ Ubuntu 22.04 LTS │ ││
│ │ │ │ │ │ │ │ ││
│ │ │ • Active Directory │ │nmap │ │ • Suricata IDS v8.0 │ ││
│ │ │ (azuresoc.local) │◄────────► │ (65K+ rules) │ ││
│ │ │ • DNS Server │ │hydra│ • Apache 2.4.52 │ ││
│ │ │ • Sysmon v15 │◄────────► │ (honeypot page) │ ││
│ │ │ • Azure Monitor Agent│ │nikto │ • nmap, nikto, hydra │ ││
│ │ │ • 11 AD Users │ │ │ │ (attack tools) │ ││
│ │ │ • Kerberos (port 88) │ │ │ │ │ ││
│ │ └──────────────────────┘ │ │ └──────────────────────┘ ││
│ │ │ │ │ ││
│ └──────────┼─────────────────┘ └─────────────────────────────┘│
│ │ Windows Security Events │
│ │ + Sysmon telemetry │
│ │ via Azure Monitor Agent │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ snet-honeypot (10.0.3.0/24) │ │
│ │ NSG: nsg-honeypot (ALLOW ALL inbound - intentional trap) │ │
│ │ [Empty - reserved for future deliberately vulnerable VM] │ │
│ └───────────────────────────────────────────────────────────────┘ │
└───────────────────────────────────┬────────────────────────────────┘
│
┌─────────┴──────────────────────────────────┐
│ Data Collection Rule (dcr-windows) │
│ Routes: SecurityEvent + Sysmon │
└────────────────┬───────────────────────────┘
│
┌────────────────┴───────────────────────────┐
│ Log Analytics Workspace (law-azuresoc) │
│ Tables: SecurityEvent, Sysmon, │
│ Heartbeat, AzureActivity │
└────────────────┬───────────────────────────┘
│
┌────────────────┴───────────────────────┐
│ Microsoft Sentinel (SIEM) │
│ • 8 Data Connectors │
│ • 1000+ Security Events │
│ • Custom KQL Analytics Rules │
│ • Brute Force RDP Detection (custom) │
│ • Automated Incident Creation │
└────────────────────────────────────────┘
SUPPORTING SERVICES:
Key Vault ────────── Secure storage for API keys & secrets
Storage Account ───── NSG flow logs & diagnostic data
Network Watcher ───── Connectivity monitoring & IP flow verify
The VNet uses 10.0.0.0/16 (65K addresses), split into 3 subnets. Each subnet has its own NSG controlling traffic - nsg-dc only allows RDP + AD ports, nsg-splunk allows SSH + HTTP, and nsg-honeypot intentionally allows everything (it's a trap).
The DC generates Windows Security Events and Sysmon telemetry → Azure Monitor Agent forwards them via Data Collection Rule → they land in Log Analytics → Sentinel queries them with KQL and fires alerts.
| Resource | Type | Purpose |
|---|---|---|
| vm-dc01 | VM (Windows Server 2022) | Domain Controller, AD DS, DNS, Sysmon v15 |
| vm-splunk | VM (Ubuntu 22.04) | Suricata IDS, Apache honeypot |
| vnet-azuresoc | Virtual Network | 10.0.0.0/16 - connects everything |
| nsg-dc | NSG | DC firewall (RDP + AD ports only) |
| nsg-splunk | NSG | Linux firewall (SSH + HTTP) |
| nsg-honeypot | NSG | Allow-all (honeypot trap) |
| nic-dc01 / nic-splunk | NICs | Virtual network cards |
| pip-dc01 / pip-splunk | Public IPs | Internet-facing addresses for RDP/SSH |
| law-azuresoc | Log Analytics Workspace | Central log database |
| SecurityInsights | Sentinel | SIEM layer on Log Analytics |
| kv-(auto-generated) | Key Vault | API key storage |
| st(auto-generated)soc | Storage Account | NSG flow logs |
| dcr-windows | Data Collection Rule | Routes DC events → Sentinel |
| NetworkWatcher | Network Watcher | Connectivity monitoring |
AD controls who can access what in a Windows network. Over 90% of Fortune 500 companies use it, making it the #1 target for attackers. When AD is compromised, the attacker owns everything - accounts, files, servers.
Domain: azuresoc.local | DC: DC01 (vm-dc01) | Forest Level: Windows Server 2022
| Username | Role | Group | Security Relevance |
|---|---|---|---|
| azuresocadmin | Domain Admin | Domain Admins | Primary admin |
| jsmith, sconnor | Regular | IT-Team | Standard employees |
| mjones | Regular | HR-Team | Standard employee |
| edavis, lbrown | Regular | Finance-Team | Standard employees |
| jwilson | Regular | SOC-Analysts | Standard employee |
| admin.backup | Domain Admin | Domain Admins | Attack target - over-privileged backup account |
| svc.sql | Service Account | N/A | Kerberoastable - has SPN MSSQLSvc/dc01:1433 |