Sentinel Attack Versions Save

Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK

v.1.4.3

3 years ago

Changelog

Changed

  • Upgraded lab deployment script to use latest version (v2.40) of azurerm provider plugin
  • Improved stability and maintainability of lab deployment script
  • Improved management of sensitive information within the terraform .tfvars file
  • Standardised naming of lab resources
  • Udated Sentinel ATT&CK test lab documentation page

Fixed

  • Miscellaneous fixes and improvements to make script compatible with terraform v0.14.5
  • Bug in the lab deployment script that prevented the Win10 machine from joining the domain
  • Eliminated all deprecation warnings
  • Confusing variable naming conventions within the terraform .tfvars file

Removed

  • Automatic deployment of sentinel-attack whitelisting files

v.1.4.2

3 years ago

Changelog

Changed

  • Simplified terraform lab deployment script
  • Updated wiki

Added

  • Deploy to Azure button
  • ARM template to automate the deployment of Sentinel-ATT&CK's Sysmon parser, whitelisting functions and Sysmon threat hunting workbook

v.1.4.1

3 years ago

Changelog

Fixed

  • Bug fix to sysmon parser

Added

  • Project icon

v.1.4.0

3 years ago

Changelog

Fixed

  • Minor bug fixes to terraform lab deployment script and files
  • Minor bug fix to sysmon config

Changed

  • Updated wiki
  • Packaged drilldowns workbooks into a single sysmon threat hunting workbook

Removed

  • ATT&CK telemetry dashboard and hunting Jupyter notebook

v.1.3.0

4 years ago

Changelog

Changed

  • Updated terraform lab deployment script to provision whitelisting files
  • Updated documentation and wiki
  • Updated workbook queries to exclude whitelisted Sysmon events

Added

  • DNS whitelisting
  • File access whitelist
  • File create whitelist
  • Image load whitelist
  • Network whitelist
  • Pipe whitelist
  • Process access whitelist
  • Process create whitelist
  • Registry whitelist
  • Remote thread whitelist
  • Whitelisting macro functions

v.1.2

4 years ago

Changelog

Changed

  • Updated terraform lab deployment script to provision an Active Directory domain controller and join the test virtual machine to the domain
  • Updated documentation

Added

  • Computer drilldown workbook
  • File create drilldown workbook
  • Network connection drilldown workbook
  • Pipe name drilldown workbook
  • Process guid drilldown workbook
  • ATT&CK drilldown workbook
  • User drilldown workbook

v.1.1.0

4 years ago

Changelog

Changed

  • Updated sysmon configuration file

Added

  • Wiki
  • Providers in Terraform script to automatically provision Sentinel within demo lab

Fixed

  • Bug in Sysmon-OSSEM preventing the parsing of Event ID 3
  • Bug in Sysmon-OSSEM causing the Incorrect parsing of Sysmon Event ID 7