Rapid7 uses deception technology within their cloud SIEM solution to detect malicious activity within the network. This easy-to-setup virtual appliance is available as an OVA file for the VMware platform.
A while ago I converted the virtual appliance to work on the Hyper-V platform and today we made the move to the Azure cloud. If your organisation is using Rapid7 InsightIDR and you would like to have the honeypot for azure or Hyper-V please send me a message and i’m happy to share our work with you.
If you want to build this yourself you can follow the guidelines below.
- Download the virtual appliance from within the IDR platform;
- Download Virtual box and convert the VMDK disk to VHD;
- Create a new Hyper-V machine with the new VHD disk;
- Start the VM and follow the wizard.
If you want to run the honeypot on Hyper-V you are done, use the on-screen activation code to activate the honeypot within InsightIDR. If you want to move the machine to Azure there are a few more steps to take.
- Configure the machine locally on Hyper-V you won’t be able to connect to it remotely when running in azure. Make sure you choose the rights options for your azure network in the initial setup;
- After configuring you might need to merge the AVHDX config file back into the VHD file;
- Within a storage account create a container with blob sharing permissions;
- Upload the configured VHD file;
- Create a managed disk based on this VHD file;
- Create a VM based on the VHD file for sizing you can use (Standard B1ms);
- When the machine is running check out the boot diagnostics, you should see a screenshot with the honeypot activation token;
- Configure the honeypot within InsightIDR, done!