Skip to content

Atomic Red Team Sentinel Workbook

logo

This workbook helps you assess your Microsoft Sentinel Analytics Detection coverage against a threat Actor/profile.Furthermore, this tool enables defenders to start aligning their Sentinel day-to-day SOC operations with the MITRE ATT&CK framework.

logo

Threat Profiling

The first step is to provide the tool with a threat profile. The threat profile is represented as MITRE ATT&CK navigation layer. The infosec community already shares many navigation layers of threat profiles and mapped threat intelligence reports. If you have a Threat Heat map as a MITRE ATT&CK navigation layer you can use the MITRE2CSV.py script to convert it to a CSV file. Create a Watchlist using that csv file. The name of the watchlist should follow this format: Threat_Profile_. For example, Threat_Profile_APT28</p> <h2 id="generate-microsoft-sentinel-analytics-watchlist">Generate Microsoft Sentinel Analytics Watchlist</h2> <p>Once you create threat profile watchlists, you need to create a watchlist containing your Microsoft Sentinel Analytics Coverage. In order to do that, export the Analytics table from the deployed workbook and use the script <strong>Coverage2CSV.py</strong> to create a CSV file containing the techniques coveraged by your sentinel analytics rules. Use that csv file to create a watchlist. </p> <h2 id="generate-atomic-tests-watchlist">Generate Atomic Tests Watchlist</h2> <p>At this phase, you already created threat profiles and coverage watchlists. Then, create a watchlist that contains all Atomic Red Team tests. To generate the needed csv when creating the watchlist use the script <strong>MITRE2csv.py </strong></p> <p>Now you have everything to use the workbook. To identify the Atomic tests that you can use to perform threat emulation and enhance your detection capabilities by writing new rules for them. </p> <p align="center"> <img src="https://github.com/Intellisec-Solutions/Atomic-Red-Team-Sentinel-Workbook/blob/main/Images/screenshot.png?raw=true" alt="logo" style="width:1400px"></a> </p> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../caldera/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Connecting CALDERA to Microsoft Sentinel - Playbook and Workbook" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> Connecting CALDERA to Microsoft Sentinel - Playbook and Workbook </div> </div> </a> <a href="../sigmaworkbook/" class="md-footer__link md-footer__link--next" aria-label="Next: SIGMA Rules Microsoft Sentinel Workbook" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> SIGMA Rules Microsoft Sentinel Workbook </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.b97dbffb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../assets/javascripts/bundle.6c7ad80a.min.js"></script> </body> </html>