Sentinel ATT&CK test lab
Within the lab folder a terraform script is provided to automate the deployment of a testing lab.
Please note: the terraform script deploys a highly insecure test environment. It is not meant to be used in production and the environment should be destroyed immediately after use.
The terraform script provisions:
- An Azure Sentinel instance
- A Windows 10 virtual machine (PC1)
- A Windows Server 2012 Active Directory domain controller (DC1)
- Post-deployment scripts to install and configure Sysmon on PC1
- Post-deployment scripts to install and configure Active Directory plus Sysmon on DC1
-
Install/configure/authenticate Terraform following these Microsoft docs.
-
Create a variables.tfvars file in the lab directory, using the variables.tfvars.txt file as a template and making sure to complete all fields.
The variables.tfvars file is the heart of the terraform playbook. It is ignored by Git, ensuring that all sensitive information remains stored on your device, and it allows:
- To specify Azure authentication credentials
- To define the target resource group, active directory domain name and provisioning location (eg. west us)
- To define workstation and DC server account credentials
- To define workstation and DC server names, vm sizes and image configurations
Take care to ensure that the resource_group_name value used in the variables.tfvars file is identical to the target resource group name within which you have deployed Sentinel-ATT&CK otherwise you won't be able to connect the lab's virtual machines to your Sentinel-ATT&CK instance.
-
Open your favourite terminal and change directory (cd) into the lab folder
-
Run the following command:
terraform init -
Run the following command:
terraform apply --var-file="variables.tfvars" -
The lab can be destroyed at any moment by running the following command:
terraform destroy --var-file="variables.tfvars"
As a next step you should onboard Sysmon data into Sentinel.