Skip to content

Microsoft Sentinel SIGMA Rules Workbook

logo

This workbook helps you assess your Microsoft Sentinel Analytics Detection coverage against a threat Actor/profile.Furthermore, this tool enables defenders to start aligning their Sentinel day-to-day SOC operations with the MITRE ATT&CK framework.

logo

Threat Profiling

The first step is to provide the tool with a threat profile. The threat profile is represented as MITRE ATT&CK navigation layer. The infosec community already shares many navigation layers of threat profiles and mapped threat intelligence reports. If you have a Threat Heat map as a MITRE ATT&CK navigation layer you can use the MITRE2CSV.py script to convert it to a CSV file. Create a Watchlist using that csv file. The name of the watchlist should follow this format: Threat_Profile_. For example, Threat_Profile_APT28</p> <h2 id="generate-microsoft-sentinel-analytics-watchlist">Generate Microsoft Sentinel Analytics Watchlist</h2> <p>Once you create threat profile watchlists, you need to create a watchlist containing your Microsoft Sentinel Analytics Coverage. In order to do that, export the Analytics table from the deployed workbook and use the script <strong>Coverage2CSV.py</strong> to create a CSV file containing the techniques coveraged by your sentinel analytics rules. Use that csv file to create a watchlist. </p> <h2 id="sigma-rules-watchlist">SIGMA Rules Watchlist</h2> <p>At this phase, you already created threat profiles and coverage watchlists. Then, create a watchlist that contains all SIGMA rules links. To generate the needed csv when creating the watchlist use the script <strong>SIGMA2csv.py </strong></p> <p>Now you have everything to use the workbook and to identify the sigma rules that you can use to enhance your detection capabilities. </p> <p align="center"> <img src="https://github.com/Intellisec-Solutions/Microsoft-Sentinel-SIGMA-Rules-Workbook/blob/main/Images/Screenshot_sigma.png?raw=true" alt="logo" style="width:1400px"></a> </p> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../artworkbook/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Atomic Red Team Microsoft Sentinel Workbook" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> Atomic Red Team Microsoft Sentinel Workbook </div> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.b97dbffb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../assets/javascripts/bundle.6c7ad80a.min.js"></script> </body> </html>