Rapid7 InsightIDR HoneyPot on Hyper-V or Azure!

Rapid7 uses deception technology within their cloud SIEM solution to detect malicious activity within the network. This easy-to-setup virtual appliance is available as an OVA file for the VMware platform.

A while ago I converted the virtual appliance to work on the Hyper-V platform and today we made the move to the Azure cloud. If your organisation is using Rapid7 InsightIDR and you would like to have the honeypot for azure or Hyper-V please send me a message and i’m happy to share our work with you.

If you want to build this yourself you can follow the guidelines below.

  • Download the virtual appliance from within the IDR platform;
  • Download Virtual box and convert the VMDK disk to VHD;
  • Create a new Hyper-V machine with the new VHD disk;
  • Start the VM and follow the wizard.

If you want to run the honeypot on Hyper-V you are done, use the on-screen activation code to activate the honeypot within InsightIDR. If you want to move the machine to Azure there are a few more steps to take.

  • Configure the machine locally on Hyper-V you won’t be able to connect to it remotely when running in azure. Make sure you choose the rights options for your azure network in the initial setup;
  • After configuring you might need to merge the AVHDX config file back into the VHD file;
  • Within a storage account create a container with blob sharing permissions;
  • Upload the configured VHD file;
  • Create a managed disk based on this VHD file;
  • Create a VM based on the VHD file for sizing you can use (Standard B1ms);
  • When the machine is running check out the boot diagnostics, you should see a screenshot with the honeypot activation token;
  • Configure the honeypot within InsightIDR, done!
Auteur:Maikel Roolvink

Manager Security Operations