Deploying sentinel ATT&CK analytics
The detections folder contains 117 Kusto queries than can be used to:
- Create Azure Sentinel detection rules
- Execute hunts for specific ATT&CK techniques
In aggregate the queries cover a total of 156 ATT&CK techniques applicable to Microsoft Windows environments:
Note: Each detection rule in the detections folder has been individually tested and should work out of the box. However if you spot any issues in the Kusto source code feel free to open an issue or submit a pull request.
The detection queries in this repository can be used to create sentinel detection rules through the analytics blade.
Each detection rule provides the following information in the rule comments:
| Information | Description |
|---|---|
| Name | Name of detection rule |
| Description | Description of detection rule |
| Severity | Alert severity to set in Sentinel analytics |
| Query frequency | Query frequency to set in Sentinel analytics |
| Query period | Query period to set in Sentinel analytics |
| Alert trigger threshold | Alert threshold to set in Sentinel analytics |
| Tactics | ATT&CK tactic addressed by detection rule |
Creating detection rules in Azure sentinel is done like so:
Alternatively the AZSentinel PowerShell module, developed by the folks at Wortell Sec can be used to bulk upload in an automated manner all the rules in this folder to your Sentinel instance. A JSON configuration file is provided for this purpose.
Instructions for the prerequisites needed to run AZSentinel can be found here.
Once AZSentinel is installed, the rules in this folder can be automatically imported with this command:
Import-AzSentinelAlertRule -WorkspaceName "{workspace_name}" -SettingsFile "sentinel_attack_rules.json"
Note: Please ensure that you have first followed the steps in this documentation before attempting to upload the rules. Additionally please note that you must save the parser function with the name "Sysmon" for the automatic import to work.
The detection rules in this repository can also be used to conduct one-off threat hunts to try and discover specific ATT&CK techniques executed on a network, like so:
Next, if needed, you should deploy threat hunting workbooks to your Sentinel workspace.
ATT&CK coverage reports for the detection rules in this repositoryare available in SVG, Excel and ATT&CK navigator JSON format.
