Home

Welcome to the Sentinel-ATT&CK wiki

This wiki provides instructions to deploy and use Sentinel-ATT&CK in your Azure environment. It's designed to be a lightweight, yet comprehensive guide.

Getting started

Note: If you deployed the Sysmon Threat Hunting workbook via Sentinel's standard workbooks gallery please execute the steps in the workbook post-deployment configuration guide rather than the steps below.

To set-up Sentinel-ATT&CK on Azure you must have created a resource group. Make sure that the resoure group name is no longer than 10 characters and consists only of lowercase letters and numbers. When the necessary resource group has been deployed follow the steps below:

1. Click on the deployment button below:

   

2. You will be redirected to a custom deployment page. Within the Basics section, click on the Resource group drop-down list and select the resource group you just created. Accept the terms and conditions and click the Purchase button. Sentinel-ATT&CK will be automatically deployed for you.

   Note: The default settings in the Settings section should not be changed with the exception of the signedExpiry parameter in the Account Sas Properties setting. In order to work properly Sentinel-ATT&CK makes use of whitelisting functions which require a Sas token to be configured. By default the expiration date on the token is set to expire on March 1st 2050 (2050-03-01T00:00:01Z). If this expiration date doesn't work for you you can change it through the signedExpiry parameter in the Account Sas Properties setting.

3. Once the deployment is complete you must upload the 10 whitelisting files in the lab/files folder in Sentinel-ATT&CK's whitelist blob storage container. The container can be found by browsing the storage account list for your subscription and selecting the storage account named [YOUR_WORKSPACE_ID]blobstore. The whitelist storage blob, named [YOUR_WORKSPACE_ID]-store can be found in the Blob service section of the menu list by clicking on the Containers option. Once you click on the whitelist storage blob link you will be redirected to the blob configuration page where you can use the Upload button to upload the whitelisting files.

After uploading the whitelist files your deployment will be complete and you will have a working Sentinel-ATT&CK instance ready to analyze Sysmon data through the Sysmon threat hunting workbook located under the My workbooks menu in the Sentinel workbooks section.

At this point you have two options to begin analyzing Sysmon data:

1. You can spin up Sentinel-ATT&CK's test lab within the same resource group to automatically provision virtual machines pre-configured with Sysmon and Sentinel-ATT&CK's sysmon configuration file.

2. If you already have virtual machines deployed in the resource group, you can onboard Sysmon data to your Sentinel instance by following the dedicated Sysmon data onboarding guide.

Costs

The monthly cost of running the Sentinel-ATT&CK test lab - assuming the instructions in this wiki are followed and that virtual machines are never stopped - averages at around ~ $125 per month. The bulk of the monthly costs are generated primarily by virtual machine and storage costs. Costs can be reduced further by consistently destroying the lab every time you log out of Azure and then re-deploying it on the next login.

Additional guides

Some additional guides are also offered below, these cover various topics relating to using Sentinel-ATT&CK tools and you are strongly encouraged to read them all:

• How to use Sentinel-ATT&CK whitelists to tune Sysmon log data collection
• How to upload selected Kusto queries into Sentinel analytics
• How to deploy Sentinel-ATT&CK's Sysmon threat hunting workbook