Skip to content
Edoardo Gerosa edited this page May 31, 2020 · 25 revisions

Welcome to the sentinel-attack wiki

This wiki is designed to walk you through setting up Sentinel-ATT&CK in your Azure environment. It's meant to be a lightweight step-by-step guide.

Getting started

To set up Sentinel ATT&CK on Azure the following steps must be performed:

  1. Quickly spin-up a test lab on Azure Sentinel (Optional but recommended)
  2. Deploy Sentinel and onboard Sysmon data
  3. Install the ATT&CK telemetry dashboard
  4. Upload selected Kusto queries into Sentinel analytics (Optional)
  5. Deploy threat hunting workbooks (Optional)
  6. Deploy Jupyter threat hunting notebooks (Optional)

Costs

The monthly cost of running the Sentinel-ATT&CK test lab - assuming the above instructions are followed and that the default Terraform variables are used in the deployment script - averages at around ~ $50 per month. The bulk of the monthly costs are generated primarily by virtual machine and storage costs. Costs can be reduced further by consistently destroying the lab every time you log out of Azure to re-deploy it on the next login.

Clone this wiki locally