We are using huntress both on smaller network with only client computers, and in smaller server environments and up to larger datacenters.

We are missing the posibility of early warning with honeypots in our network.

What we wish for:

A small hardened appliance, deployed with ova (support for hyperv/vmware/kvm) where we could customize profile to match the environment:

-windows server 2016/2019/2022/2025

-customizable netbios name to

Match environment.

-customizable share names, samba printer queues,

-iis webserver profile with integrated auth emulation

-possibility of services like winrm, mssql emulation to answer on port open request

-Linux flavor

-ssh server

-samba server

-MySQL server ports

-webservice (nginx, Apache et. PRofile)

And when files are accessed, ports opened or authentication attempted, report source ip, arp, user agent and all possible data to the siem to raise alert for investigation.

Signals from this honeypot would also get intel for the earlier parts of the timeline in ir scenario.

A good commercial honeypot integrated to the siem would be my greatest Christmas wish 😁