Skip to content

v0.6.0 — Documentation depth

Choose a tag to compare

@ibondarenko1 ibondarenko1 released this 23 May 19:02

Comprehensive documentation layer added. The repo now answers: how do I use it, what does it catch, what's the design rationale.

Walkthroughs

5 end-to-end deployment guides under docs/walkthroughs/:

  • Deploy Microsoft Sentinel on a fresh subscription
  • Harden Defender for Office 365 baseline
  • Deploy MTA-STS + TLS-RPT via Cloudflare
  • Deploy baseline Conditional Access policies (report-only → enforce)
  • Defender for Cloud tuning (Free vs Standard tier matching)

Each is operator-runnable copy-paste sequence with framework alignment summary.

Threat model

docs/THREAT-MODEL.md is honest scope:

  • Per-domain enumeration of what the toolkit catches
  • Explicit non-coverage (active threats, out-of-scope domains)
  • Trust boundaries
  • Attacker-subversion paths and mitigations

FAQ

docs/FAQ.md covers 20+ operator questions:

  • General toolkit positioning + competitor comparison
  • Running the toolkit (auth issues, missing modules, cross-platform)
  • Remediation artifact safety
  • Findings + reports (count drift between versions, custom checks)
  • Framework alignment usage with GRC platforms

Architecture Decision Records

docs/adr/ documents 6 significant design choices:

  1. Schema-first finding emission (versioned finding contract)
  2. Mock mode via fixture replay (adoption-barrier mitigation)
  3. PowerShell as primary language
  4. Out-of-scope domain boundaries (concentration over breadth)
  5. Framework anchors over operational specifics
  6. Severity rubric (P1/P2/P3 with deadlines, why not CVSS)

Each ADR follows the standard template: context, decision, consequences, alternatives considered.

Test coverage

114 Pester tests still passing. End-to-end mock run still produces 58 findings.

Next: v1.0 (public release)

Generate-Report polish (severity histogram, MITRE coverage map, diff mode), repo visibility flip, launch blog post, distribution channels.