Skip to content

mariocuomo/Use-Cases-Mapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
img
img
 
 
README.md
README.md
 
 
deployment.json
deployment.json
 
 

Repository files navigation

Use Cases Mapper - Sentinel workbook & watchlists

Intro

This Sentinel workbook and the complementary resources (watchlists) are used to map common Use Cases to the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to these Use Cases.

The identified Use Cases in this context are:

  • Credential Exploitation
  • Lateral Movement
  • Rapid Encryption
  • Command and Control Communication
  • Insider Risk
  • Anomalous Privilege Escalation​
  • Third-Party Abuses
  • Overexposure
  • Data Exfiltration
  • Mobile Data Security
  • Communication Abuse​
  • Web Application Abuse

⚠️ These can change over time, as attack & defense strategies and techniques are constantly changing as well.

In order to be able to adapt this information to your own needs, the option of reducing the results to selected Data Sources (Content Hub solutions) has also been implemented.

How to use

The available results are presented by selecting the right Use Cases and the corresponding Data Sources. There are the appropriate selection options for this (see pictures following 👇).

The expected results:

  • Analytics Rules (+ graphical representation of the results in the form of 2 pie charts)
  • Hunting Queries (+ graphical representation of the results in the form of 2 pie charts)

The structure

At the top of the workbook you will find a brief description of how to use the workbook, followed by the associated resources. Finally, you will be taken to the selection options (as already mentioned above ☝️ under How to use).

How to deploy

Below you can find a button to start the process (custom deployment).

The necessary information to be inserted here are:

  • a Subscription (selection possible via dropdown and selection depending on the logged-in tenant)
  • a Resource Group (please select the resource group in which the Sentinel Workspace was also deployed)
  • a Region
  • a Workspace Name

Deploy to Azure

⚠️ After deployment, it may take a few minutes (10-15 min) until the necessary values from the watchlists are available in the workbook.

Created by: Mario Cuomo, Thomas Bruendl and Nikolay Salnikov

About

A simple tool to map Use Cases to Content Hub relevant Microsoft Sentinel solutions

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors