Skip to content

Commit

Permalink
simplified lab deployment script
Browse files Browse the repository at this point in the history
  • Loading branch information
netevert committed Jul 11, 2020
1 parent 176e161 commit bb727c5
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 159 deletions.
7 changes: 4 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
[![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)
<!--
[![](https://img.shields.io/badge/Azure%20Sentinel%20workbooks%20gallery-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)
[![](https://img.shields.io/badge/Official%20Azure%20Sentinel%20workbook-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)
-->
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fdev%2Fv.1.4.2%2Fazuredeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fmaster%2Fazuredeploy.json)

Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.

Expand All @@ -17,7 +17,8 @@ Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capabi
![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/demo.gif)

### Overview
Sentinel ATT&CK provides the following set of tools:
Sentinel ATT&CK provides the following tools:
- An [ARM template](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/azuredeploy.json) to automatically deploy Sentinel ATT&CK to your Azure environment
- A [Sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/sysmonconfig.xml) compatible with Azure Sentinel and mapped to specific ATT&CK techniques
- A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model
- 117 ready-to-use Kusto [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections) covering 156 ATT&CK techniques
Expand Down
169 changes: 14 additions & 155 deletions lab/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,52 +7,20 @@ provider "azurerm" {
tenant_id = var.authentication.tenant_id
}

# Create dedicated resource group
resource "azurerm_resource_group" "rg" {
name = "${var.prefix}-rg"
location = var.location
tags = var.tags
}

# Create underlying log analytics workspace for sentinel
resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
name = "${var.prefix}-la"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku = "PerGB2018"
retention_in_days = 90
depends_on = [azurerm_resource_group.rg]
}

# Deploy sentinel
resource "azurerm_log_analytics_solution" "la-opf-solution-sentinel" {
solution_name = "SecurityInsights"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
workspace_resource_id = azurerm_log_analytics_workspace.rgcore-management-la.id
workspace_name = azurerm_log_analytics_workspace.rgcore-management-la.name
plan {
publisher = "Microsoft"
product = "OMSGallery/SecurityInsights"
}
depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]
}

# Create lab virtual network
resource "azurerm_virtual_network" "vnet" {
name = "${var.prefix}-vnet"
address_space = ["10.0.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
tags = var.tags
depends_on = [azurerm_log_analytics_solution.la-opf-solution-sentinel]
}

# Create network security group and rules
resource "azurerm_network_security_group" "nsg" {
name = "${var.prefix}-nsg"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
tags = var.tags
depends_on = [azurerm_virtual_network.vnet]

Expand Down Expand Up @@ -132,7 +100,7 @@ resource "azurerm_network_security_group" "nsg" {
# Create lab subnet
resource "azurerm_subnet" "subnet" {
name = "${var.prefix}-subnet"
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefix = "10.0.1.0/24"
network_security_group_id = azurerm_network_security_group.nsg.id
Expand All @@ -142,8 +110,8 @@ resource "azurerm_subnet" "subnet" {
# Create storage account
resource "azurerm_storage_account" "storageaccount" {
name = "${var.prefix}sablobstrg01"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
resource_group_name = "${var.prefix}"
location = var.location
account_tier = "Standard"
account_replication_type = "GRS"
depends_on = [azurerm_subnet.subnet]
Expand Down Expand Up @@ -177,130 +145,21 @@ resource "azurerm_storage_blob" "adblob" {
source = "./files/create-ad.ps1"
}

# Create blob storage container for whitelisting files
resource "azurerm_storage_container" "whiteliststorage" {
name = "${var.prefix}-store2"
storage_account_name = azurerm_storage_account.storageaccount.name
container_access_type = "private"
depends_on = [azurerm_storage_blob.adblob]
}

# Create storage blob for process create whitelist file
resource "azurerm_storage_blob" "pcwhitelist" {
depends_on = [azurerm_storage_container.whiteliststorage]
name = "process_create_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/process_create_whitelist.csv"
}

# Create storage blob for dns whitelist file
resource "azurerm_storage_blob" "dnswhitelist" {
depends_on = [azurerm_storage_blob.pcwhitelist]
name = "dns_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/dns_whitelist.csv"
}

# Create storage blob for file access whitelist file
resource "azurerm_storage_blob" "fawhitelist" {
depends_on = [azurerm_storage_blob.dnswhitelist]
name = "file_access_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/file_access_whitelist.csv"
}

# Create storage blob for file create whitelist file
resource "azurerm_storage_blob" "fcwhitelist" {
depends_on = [azurerm_storage_blob.fawhitelist]
name = "file_create_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/file_create_whitelist.csv"
}


# Create storage blob for image load whitelist file
resource "azurerm_storage_blob" "ilwhitelist" {
depends_on = [azurerm_storage_blob.fcwhitelist]
name = "image_load_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/image_load_whitelist.csv"
}

# Create storage blob for network whitelist file
resource "azurerm_storage_blob" "netwhitelist" {
depends_on = [azurerm_storage_blob.ilwhitelist]
name = "network_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/network_whitelist.csv"
}

# Create storage blob for pipe whitelist file
resource "azurerm_storage_blob" "pipewhitelist" {
depends_on = [azurerm_storage_blob.netwhitelist]
name = "pipe_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/pipe_whitelist.csv"
}

# Create storage blob for process access whitelist file
resource "azurerm_storage_blob" "pawhitelist" {
depends_on = [azurerm_storage_blob.pipewhitelist]
name = "process_access_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/process_access_whitelist.csv"
}

# Create storage blob for registry whitelist file
resource "azurerm_storage_blob" "regwhitelist" {
depends_on = [azurerm_storage_blob.pawhitelist]
name = "registry_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/registry_whitelist.csv"
}

# Create storage blob for remote thread whitelist file
resource "azurerm_storage_blob" "rtwhitelist" {
depends_on = [azurerm_storage_blob.pawhitelist]
name = "remote_thread_whitelist.csv"
storage_account_name = azurerm_storage_account.storageaccount.name
storage_container_name = azurerm_storage_container.whiteliststorage.name
type = "block"
source = "./files/remote_thread_whitelist.csv"
}

# Create public ip for domain controller 1
resource "azurerm_public_ip" "dc1_publicip" {
name = "${var.workstations.dc1}-external"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
allocation_method = "Dynamic"
tags = var.tags
depends_on = [azurerm_storage_blob.rtwhitelist]
depends_on = [azurerm_storage_blob.adblob]
}

# Create network interface for domain controller 1
resource "azurerm_network_interface" "dc1_nic" {
name = "${var.workstations.dc1}-primary"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
network_security_group_id = azurerm_network_security_group.nsg.id
tags = var.tags

Expand All @@ -317,7 +176,7 @@ resource "azurerm_network_interface" "dc1_nic" {
resource "azurerm_virtual_machine" "dc1" {
name = var.workstations.dc1
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
network_interface_ids = ["${azurerm_network_interface.dc1_nic.id}"]
vm_size = var.workstations.vm_size
tags = var.tags
Expand Down Expand Up @@ -364,7 +223,7 @@ resource "azurerm_virtual_machine" "dc1" {
resource "azurerm_virtual_machine_extension" "create_ad" {
name = "create_ad"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
virtual_machine_name = azurerm_virtual_machine.dc1.name
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
Expand All @@ -383,7 +242,7 @@ SETTINGS
resource "azurerm_public_ip" "pc1_publicip" {
name = "${var.workstations.pc1}-external"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
allocation_method = "Dynamic"
tags = var.tags
depends_on = [azurerm_virtual_machine_extension.create_ad]
Expand All @@ -393,7 +252,7 @@ resource "azurerm_public_ip" "pc1_publicip" {
resource "azurerm_network_interface" "pc1_nic" {
name = "${var.workstations.pc1}-primary"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
network_security_group_id = azurerm_network_security_group.nsg.id
tags = var.tags#
ip_configuration {
Expand All @@ -409,7 +268,7 @@ resource "azurerm_network_interface" "pc1_nic" {
resource "azurerm_virtual_machine" "pc1" {
name = var.workstations.pc1
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
network_interface_ids = ["${azurerm_network_interface.pc1_nic.id}"]
vm_size = var.workstations.vm_size
tags = var.tags
Expand Down Expand Up @@ -456,7 +315,7 @@ resource "azurerm_virtual_machine" "pc1" {
resource "azurerm_virtual_machine_extension" "utils_pc1" {
name = "utils_pc1"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
resource_group_name = "${var.prefix}"
virtual_machine_name = azurerm_virtual_machine.pc1.name
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
Expand Down
2 changes: 1 addition & 1 deletion lab/variables.tfvars.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ authentication = {
}

location = "" # eg. westus
prefix = "" # eg. azure-sentinel-lab
prefix = "" # eg. azure-sentinel-lab; NOTE: ensure this is identical to the resource group within which Sentinel-ATT&CK has been deployed

tags = {
environment = "" # eg. dev, testing, staging
Expand Down

0 comments on commit bb727c5

Please sign in to comment.