merge v.1.4.0

netevert · May 31, 2020 · 2a37854 · 2a37854
1 parent ce5c11b
commit 2a37854
Show file tree

Hide file tree

Showing 39 changed files with 5,282 additions and 8,599 deletions.
diff --git a/README.md b/README.md
@@ -8,20 +8,18 @@
 
 Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.
 
-**DISCLAIMER:** This tool is not a magic bullet. It will require tuning and real investigative work to be truly effective in your environment.
+**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.
 
  ![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/demo.gif)
 
 ### Overview
  Sentinel ATT&CK provides the following set of tools: 
  - A [Sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/sysmonconfig.xml) compatible with Azure Sentinel and mapped to specific ATT&CK techniques  
- - A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parsers/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model
- - A [dashboard](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/dashboards/attack_telemetry.json) providing an overview of ATT&CK techniques executed on your Azure environment
+ - A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model
  - 117 ready-to-use Kusto [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections) covering 156 ATT&CK techniques
- - A [Hunting Jupyter notebook](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/hunting/notebooks) to assist with process drill-downs 
- - [Azure threat hunting workbooks](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/hunting/workbooks) inspired by the [Threat Hunting App](https://splunkbase.splunk.com/app/4305/) for Splunk to help simplify your threat hunts
+ - A [Sysmon threat hunting workbook](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/hunting) inspired by the [Threat Hunting App](https://splunkbase.splunk.com/app/4305/) for Splunk to help simplify threat hunts
  - A [Terraform](https://www.terraform.io/) script to provision a lab to test Sentinel ATT&CK
- - Comprehensive guides to help you use the materials in this repository
+ - Comprehensive guidance to help you use the materials in this repository
 
 ### Usage
 Head over to the [WIKI](https://github.com/BlueTeamLabs/sentinel-attack/wiki) to learn how to deploy and run Sentinel ATT&CK.

diff --git a/dashboards/attack_telemetry.json b/dashboards/attack_telemetry.json
diff --git a/docs/demo.gif b/docs/demo.gif
diff --git a/docs/enable-event-logs.gif b/docs/enable-event-logs.gif
diff --git a/docs/install-parser.gif b/docs/install-parser.gif
diff --git a/docs/upload-workbooks.gif b/docs/upload-workbooks.gif
diff --git a/hunting/functions/dns_whitelist.txt b/hunting/functions/dns_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, process_path:string, query_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/file_access_whitelist.txt b/hunting/functions/file_access_whitelist.txt
@@ -0,0 +1 @@
+externaldata(technique_id:string, host:string, process_path:string, file_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/file_create_whitelist.txt b/hunting/functions/file_create_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, file_name:string, file_path:string, process_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/image_load_whitelist.txt b/hunting/functions/image_load_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, process_path:string, driver_loaded:string, driver_is_signed:string, driver_signature:string, driver_signature_status:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/network_whitelist.txt b/hunting/functions/network_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, user_name:string, process_path:string, src_ip:string, dst_ip:string, dst_port:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/pipe_whitelist.txt b/hunting/functions/pipe_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, process_path:string, pipe_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/process_access_whitelist.txt b/hunting/functions/process_access_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, process_path:string, target_process_path:string, process_granted_access:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/process_create_whitelist.txt b/hunting/functions/process_create_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, user:string, process_parent_path:string, process_path:string, process_command_line:string, hash_sha256:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/registry_whitelist.txt b/hunting/functions/registry_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, event_type:string, process_path:string, registry_key_path:string, registry_key_details:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/functions/remote_thread_whitelist.txt b/hunting/functions/remote_thread_whitelist.txt
@@ -0,0 +1 @@
+externaldata(host:string, event_type:string, process_path:string, target_process_path:string, target_process_address:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
diff --git a/hunting/notebooks/config.ini b/hunting/notebooks/config.ini
diff --git a/hunting/notebooks/drilldown_notebook.ipynb b/hunting/notebooks/drilldown_notebook.ipynb
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(host:string, process_path:string, query_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(technique_id:string, host:string, process_path:string, file_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(host:string, file_name:string, file_path:string, process_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(host:string, user_name:string, process_path:string, src_ip:string, dst_ip:string, dst_port:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(host:string, user:string, process_parent_path:string, process_path:string, process_command_line:string, hash_sha256:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		externaldata(host:string, event_type:string, process_path:string, registry_key_path:string, registry_key_details:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)