Skip to content

Sysmon Threat Hunting workbook post deployment configuration

Jump to bottom
Edoardo Gerosa edited this page Jul 23, 2020 · 2 revisions

If you deploy Sentinel-ATT&CK's Sysmon Threat Hunting workbook via Azure Sentinel's workbooks gallery you'll have to perform the additional configuration steps below to make the workbook function:

  1. Click on the deployment button below:

    Deploy to Azure

  2. You will be redirected to a custom deployment page. Within the Basics section, click on the Resource group drop-down list and select the resource group within which your Sentinel instance is deployed. Additionally, within the Settings section, fill in the Workspace_name parameter making sure to add the exact workspace name of the underlying log analytics workspace of your Sentinel instance. Accept the terms and conditions and click the Purchase button. Sentinel-ATT&CK will be automatically deployed for you.

    Note: Besides the Workspace_name parameter, the default settings in the Settings section should not be changed with the exception of the signedExpiry parameter in the Account Sas Properties setting. In order to work properly Sentinel-ATT&CK makes use of whitelisting functions which require a Sas token to be configured. By default the expiration date on the token is set to expire on March 1st 2050 (2050-03-01T00:00:01Z). If this expiration date doesn't work for you you can change it through the signedExpiry parameter in the Account Sas Properties setting.

  3. Once the deployment is complete you must upload the 10 whitelisting files in the lab/files folder in Sentinel-ATT&CK's whitelist blob storage container. The container can be found by browsing the storage account list for your subscription and selecting the storage account named [YOUR_WORKSPACE_ID]blobstore. The whitelist storage blob, named [YOUR_WORKSPACE_ID]-store can be found in the Blob service section of the menu list by clicking on the Containers option. Once you click on the whitelist storage blob link you will be redirected to the blob configuration page where you can use the Upload button to upload the whitelisting files.

After uploading the whitelist files your deployment will be complete and you will have a working Sysmon Threat Hunting workbook ready to analyze Sysmon data.

At this point you have two options to begin analyzing Sysmon data:

  1. You can spin up Sentinel-ATT&CK's test lab within the same resource group to automatically provision virtual machines pre-configured with Sysmon and Sentinel-ATT&CK's sysmon configuration file.

  2. If you already have virtual machines deployed in the resource group, you can onboard Sysmon data to your Sentinel instance by following the dedicated Sysmon data onboarding guide.

Clone this wiki locally