Image for post
Image for post

Most of the time when we think about the basics of a detection research lab, it is an environment with Windows endpoints, audit policies configured, a log shipper, a server to centralize security event logs and an interface to query, filter and visualize the data collected.

Recently, I started working with Azure Sentinel and even though there are several sources of data and platforms one could integrate it with, I wanted to learn and document how I could deploy an Azure Sentinel with a Windows lab environment in Azure for research purposes.

In this post, I show how to integrate an ARM template created in the previous post to deploy an Azure Sentinel solution with other templates to deploy a basic Windows network lab. The goal is to expedite the time it takes to get everything set up and ready-to-go before simulating a few adversary techniques. …


Image for post
Image for post

Ever since I joined the Microsoft Threat Intelligence Center (MSTIC) R&D team, I have been learning about Azure Resource Manager (ARM) templates to deploy several detection research environments as code. It has been a great journey learning about the syntax and format, and even when some might not like writing templates in JSON format to deploy resources in Azure, I actually like it 😆! However, it is a little hard for me sometimes to teach or walk someone through the templates I write because of the JSON format.

Recently, I heard about a new project from Microsoft Azure named Bicep, and even though is still in early development stages (alpha), it looks promising. It provides a cleaner syntax and better support for modularity. Therefore, I decided to write a short post sharing some of the steps I took to translate an ARM template to its Bicep format to learn more about it. …


Image for post
Image for post

On April 21st, 2020, the ATT&CK evals team released the results of their APT29 evaluation , the emulation plan, all payloads used for Day 1 and Day 2 , and a Do-It-Yourself Caldera plugin. On the same day 😆, I decided to organize a detection hackathon and used the official emulation plan to generate the data we would use to develop detection rules.

All that data was eventually uploaded to the Mordor project and it was the first time that I was sharing packet capture (PCAP) files along with endpoint logs for a large dataset such as the APT29 scenario.

After releasing all that data, I was asked by a good friend of mine Jason Trost if I had considered re-playing those PCAP files against Suricata with the open emerging threat rules. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store