simplified lab deployment script

Author: netevert

README.md

@@ -6,9 +6,9 @@
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
 [![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)
 <!--
-[![](https://img.shields.io/badge/Azure%20Sentinel%20workbooks%20gallery-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)
+[![](https://img.shields.io/badge/Official%20Azure%20Sentinel%20workbook-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)
 -->
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fdev%2Fv.1.4.2%2Fazuredeploy.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fmaster%2Fazuredeploy.json)
 
 Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.
 
@@ -17,7 +17,8 @@ Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capabi
  ![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/demo.gif)
 
 ### Overview
- Sentinel ATT&CK provides the following set of tools: 
+ Sentinel ATT&CK provides the following tools: 
+ - An [ARM template](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/azuredeploy.json) to automatically deploy Sentinel ATT&CK to your Azure environment
  - A [Sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/sysmonconfig.xml) compatible with Azure Sentinel and mapped to specific ATT&CK techniques  
  - A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model
  - 117 ready-to-use Kusto [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections) covering 156 ATT&CK techniques

lab/main.tf

@@ -7,52 +7,20 @@ provider "azurerm" {
     tenant_id       = var.authentication.tenant_id
 }
 
-# Create dedicated resource group
-resource "azurerm_resource_group" "rg" {
-    name     = "${var.prefix}-rg"
-    location = var.location
-    tags     = var.tags
-}
-
-# Create underlying log analytics workspace for sentinel
-resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
-  name                = "${var.prefix}-la"
-  location            = azurerm_resource_group.rg.location
-  resource_group_name = azurerm_resource_group.rg.name
-  sku                 = "PerGB2018"
-  retention_in_days   = 90
-  depends_on          = [azurerm_resource_group.rg]
-}
-
-# Deploy sentinel
-resource "azurerm_log_analytics_solution" "la-opf-solution-sentinel" {
-  solution_name         = "SecurityInsights"
-  location              = azurerm_resource_group.rg.location
-  resource_group_name   = azurerm_resource_group.rg.name
-  workspace_resource_id = azurerm_log_analytics_workspace.rgcore-management-la.id
-  workspace_name        = azurerm_log_analytics_workspace.rgcore-management-la.name
-  plan {
-    publisher = "Microsoft"
-    product   = "OMSGallery/SecurityInsights"
-  }
-  depends_on            = [azurerm_log_analytics_workspace.rgcore-management-la]
-}
-
 # Create lab virtual network
 resource "azurerm_virtual_network" "vnet" {
     name                = "${var.prefix}-vnet"
     address_space       = ["10.0.0.0/16"]
     location            = var.location
-    resource_group_name = azurerm_resource_group.rg.name
+    resource_group_name = "${var.prefix}"
     tags                = var.tags
-    depends_on          = [azurerm_log_analytics_solution.la-opf-solution-sentinel]
 }
 
 # Create network security group and rules
 resource "azurerm_network_security_group" "nsg" {
     name                = "${var.prefix}-nsg"
     location            = var.location
-    resource_group_name = azurerm_resource_group.rg.name
+    resource_group_name = "${var.prefix}"
     tags                = var.tags
     depends_on          = [azurerm_virtual_network.vnet]
 
@@ -132,7 +100,7 @@ resource "azurerm_network_security_group" "nsg" {
 # Create lab subnet
 resource "azurerm_subnet" "subnet" {
     name                        = "${var.prefix}-subnet"
-    resource_group_name         = azurerm_resource_group.rg.name
+    resource_group_name         = "${var.prefix}"
     virtual_network_name        = azurerm_virtual_network.vnet.name
     address_prefix              = "10.0.1.0/24"
     network_security_group_id   = azurerm_network_security_group.nsg.id
@@ -142,8 +110,8 @@ resource "azurerm_subnet" "subnet" {
 # Create storage account
 resource "azurerm_storage_account" "storageaccount" {
   name                     = "${var.prefix}sablobstrg01"
-  resource_group_name      = azurerm_resource_group.rg.name
-  location                 = azurerm_resource_group.rg.location
+  resource_group_name      = "${var.prefix}"
+  location                 = var.location
   account_tier             = "Standard"
   account_replication_type = "GRS"
   depends_on               = [azurerm_subnet.subnet]
@@ -177,130 +145,21 @@ resource "azurerm_storage_blob" "adblob" {
   source                 =  "./files/create-ad.ps1"
 }
 
-# Create blob storage container for whitelisting files
-resource "azurerm_storage_container" "whiteliststorage" {
-  name                  = "${var.prefix}-store2"
-  storage_account_name  = azurerm_storage_account.storageaccount.name
-  container_access_type = "private"
-  depends_on            = [azurerm_storage_blob.adblob]
-}
-
-# Create storage blob for process create whitelist file
-resource "azurerm_storage_blob" "pcwhitelist" {
-  depends_on             = [azurerm_storage_container.whiteliststorage]
-  name                   = "process_create_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/process_create_whitelist.csv"
-}
-
-# Create storage blob for dns whitelist file
-resource "azurerm_storage_blob" "dnswhitelist" {
-  depends_on             = [azurerm_storage_blob.pcwhitelist]
-  name                   = "dns_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/dns_whitelist.csv"
-}
-
-# Create storage blob for file access whitelist file
-resource "azurerm_storage_blob" "fawhitelist" {
-  depends_on             = [azurerm_storage_blob.dnswhitelist]
-  name                   = "file_access_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/file_access_whitelist.csv"
-}
-
-# Create storage blob for file create whitelist file
-resource "azurerm_storage_blob" "fcwhitelist" {
-  depends_on             = [azurerm_storage_blob.fawhitelist]
-  name                   = "file_create_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/file_create_whitelist.csv"
-}
-
-
-# Create storage blob for image load whitelist file
-resource "azurerm_storage_blob" "ilwhitelist" {
-  depends_on             = [azurerm_storage_blob.fcwhitelist]
-  name                   = "image_load_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/image_load_whitelist.csv"
-}
-
-# Create storage blob for network whitelist file
-resource "azurerm_storage_blob" "netwhitelist" {
-  depends_on             = [azurerm_storage_blob.ilwhitelist]
-  name                   = "network_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/network_whitelist.csv"
-}
-
-# Create storage blob for pipe whitelist file
-resource "azurerm_storage_blob" "pipewhitelist" {
-  depends_on             = [azurerm_storage_blob.netwhitelist]
-  name                   = "pipe_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/pipe_whitelist.csv"
-}
-
-# Create storage blob for process access whitelist file
-resource "azurerm_storage_blob" "pawhitelist" {
-  depends_on             = [azurerm_storage_blob.pipewhitelist]
-  name                   = "process_access_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/process_access_whitelist.csv"
-}
-
-# Create storage blob for registry whitelist file
-resource "azurerm_storage_blob" "regwhitelist" {
-  depends_on             = [azurerm_storage_blob.pawhitelist]
-  name                   = "registry_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/registry_whitelist.csv"
-}
-
-# Create storage blob for remote thread whitelist file
-resource "azurerm_storage_blob" "rtwhitelist" {
-  depends_on             = [azurerm_storage_blob.pawhitelist]
-  name                   = "remote_thread_whitelist.csv"
-  storage_account_name   = azurerm_storage_account.storageaccount.name
-  storage_container_name = azurerm_storage_container.whiteliststorage.name
-  type                   = "block"
-  source                 =  "./files/remote_thread_whitelist.csv"
-}
-
 # Create public ip for domain controller 1
 resource "azurerm_public_ip" "dc1_publicip" {
     name                         = "${var.workstations.dc1}-external"
     location                     = var.location
-    resource_group_name          = azurerm_resource_group.rg.name
+    resource_group_name          = "${var.prefix}"
     allocation_method            = "Dynamic"
     tags                         = var.tags
-    depends_on                   = [azurerm_storage_blob.rtwhitelist]
+    depends_on                   = [azurerm_storage_blob.adblob]
 }
 
 # Create network interface for domain controller 1
 resource "azurerm_network_interface" "dc1_nic" {
     name                      = "${var.workstations.dc1}-primary"
     location                  = var.location
-    resource_group_name       = azurerm_resource_group.rg.name
+    resource_group_name       = "${var.prefix}"
     network_security_group_id = azurerm_network_security_group.nsg.id
     tags                      = var.tags
 
@@ -317,7 +176,7 @@ resource "azurerm_network_interface" "dc1_nic" {
 resource "azurerm_virtual_machine" "dc1" {
   name                          = var.workstations.dc1
   location                      = var.location
-  resource_group_name           = azurerm_resource_group.rg.name
+  resource_group_name           = "${var.prefix}"
   network_interface_ids         = ["${azurerm_network_interface.dc1_nic.id}"]
   vm_size                       = var.workstations.vm_size
   tags                          = var.tags
@@ -364,7 +223,7 @@ resource "azurerm_virtual_machine" "dc1" {
 resource "azurerm_virtual_machine_extension" "create_ad" {
   name                 = "create_ad"
   location             = var.location
-  resource_group_name  = azurerm_resource_group.rg.name
+  resource_group_name  = "${var.prefix}"
   virtual_machine_name = azurerm_virtual_machine.dc1.name
   publisher            = "Microsoft.Compute"
   type                 = "CustomScriptExtension"
@@ -383,7 +242,7 @@ SETTINGS
 resource "azurerm_public_ip" "pc1_publicip" {
   name                         = "${var.workstations.pc1}-external"
   location                     = var.location
-  resource_group_name          = azurerm_resource_group.rg.name
+  resource_group_name          = "${var.prefix}"
   allocation_method            = "Dynamic"
   tags                         = var.tags
   depends_on                   = [azurerm_virtual_machine_extension.create_ad]
@@ -393,7 +252,7 @@ resource "azurerm_public_ip" "pc1_publicip" {
 resource "azurerm_network_interface" "pc1_nic" {
   name                      = "${var.workstations.pc1}-primary"
   location                  = var.location
-  resource_group_name       = azurerm_resource_group.rg.name
+  resource_group_name       = "${var.prefix}"
   network_security_group_id = azurerm_network_security_group.nsg.id
   tags                      = var.tags#
   ip_configuration {
@@ -409,7 +268,7 @@ resource "azurerm_network_interface" "pc1_nic" {
 resource "azurerm_virtual_machine" "pc1" {
   name                  = var.workstations.pc1
   location              = var.location
-  resource_group_name   = azurerm_resource_group.rg.name
+  resource_group_name   = "${var.prefix}"
   network_interface_ids = ["${azurerm_network_interface.pc1_nic.id}"]
   vm_size               = var.workstations.vm_size
   tags                  = var.tags
@@ -456,7 +315,7 @@ resource "azurerm_virtual_machine" "pc1" {
 resource "azurerm_virtual_machine_extension" "utils_pc1" {
   name                 = "utils_pc1"
   location             = var.location
-  resource_group_name  = azurerm_resource_group.rg.name
+  resource_group_name  = "${var.prefix}"
   virtual_machine_name = azurerm_virtual_machine.pc1.name
   publisher            = "Microsoft.Compute"
   type                 = "CustomScriptExtension"

lab/variables.tfvars.txt

@@ -6,7 +6,7 @@ authentication = {
 }
 
 location                      = ""  # eg. westus
-prefix                        = ""  # eg. azure-sentinel-lab
+prefix                        = ""  # eg. azure-sentinel-lab; NOTE: ensure this is identical to the resource group within which Sentinel-ATT&CK has been deployed
 
 tags =  {
     environment = ""                # eg. dev, testing, staging