Skip to content
Edoardo Gerosa edited this page Jun 11, 2020 · 25 revisions

Welcome to the sentinel-attack wiki

This wiki is designed to walk you through setting up Sentinel-ATT&CK in your Azure environment. It's meant to be a lightweight step-by-step guide.

Getting started

To set up Sentinel ATT&CK on Azure the following steps must be performed:

  1. Quickly spin-up a test lab on Azure Sentinel (Optional but recommended)
  2. Deploy Sentinel and onboard Sysmon data
  3. Upload selected Kusto queries into Sentinel analytics (Optional)
  4. Deploy the Sysmon threat hunting workbook (Optional)

Costs

The monthly cost of running the Sentinel-ATT&CK test lab - assuming the instructions in this wiki are followed and that virtual machines are never stopped - averages at around ~ $125 per month. The bulk of the monthly costs are generated primarily by virtual machine and storage costs. Costs can be reduced further by consistently destroying the lab every time you log out of Azure to then re-deploy it on the next login.

Clone this wiki locally