Anujdev67/Azure-Sentinel-SOC-Security-Portfolio

# 🛡️ Azure Sentinel & SOC 安全作品集 [](https://opensource.org/licenses/MIT) [](https://azure.microsoft.com/en-us/products/microsoft-sentinel/) [](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) [](https://www.python.org/) [](https://learn.microsoft.com/en-us/certifications/security-operations-analyst/) 一个全面且生产就绪的安全作品集，专为 **SOC Analysts**、**Threat Hunters** 和 **Cloud Security Engineers** 打造。非常适合用于 **SC-200** 和 **Azure Security** 认证备考。 ## 🎯 快速链接 - 📖 [KQL Hunting Queries](#kql-hunting-queries) - 20+ 生产就绪的查询 - 🎯 [Detection Engineering](#detection-engineering) - 自定义告警规则 - 🤖 [Automation Scripts](#automation-scripts) - Python 安全工具 - 🏗️ [Azure Infrastructure](#azure-infrastructure) - Terraform 模板 - 📚 [SC-200 Study Guide](#sc-200-certification-guide) - 考试备考资料 - 🚨 [Incident Response](#incident-response-playbooks) - 真实场景 playbook ## 📚 目录 - [概述](#overview) - [功能](#features) - [仓库结构](#repository-structure) - [KQL Hunting Queries](#kql-hunting-queries) - [Detection Engineering](#detection-engineering) - [自动化脚本](#automation-scripts) - [Azure 安全基础设施](#azure-security-infrastructure) - [新手入门](#getting-started) - [SC-200 认证指南](#sc-200-certification-guide) - [Incident Response Playbooks](#incident-response-playbooks) - [案例研究](#case-studies) - [贡献](#contributing) - [许可证](#license) ## 🎯 概述 本仓库包含**生产就绪的安全检测规则、威胁狩猎查询、自动化脚本和基础设施即代码**，适用于： - ✅ **Azure Sentinel** - SIEM 威胁检测与狩猎 - ✅ **Microsoft Defender XDR** - 高级威胁防护 - ✅ **Incident Response** - 自动化响应工作流 - ✅ **Threat Hunting** - 主动威胁发现 - ✅ **Detection Engineering** - 自定义检测规则 - ✅ **Azure Security** - 基础设施加固 - ✅ **合规性** - CIS 基准、监管要求 - ✅ **SC-200 考试备考** - 认证学习资料 **适用人群**：SOC Analysts、Threat Hunters、Security Operations Engineers、Cloud Security Engineers 和 SIEM 管理员。 ## ⭐ 功能 ✅ **生产就绪** - 已在真实 SOC 环境中测试 ✅ **文档完善** - 详尽的指南与示例 ✅ **映射 MITRE ATT&CK** - 与威胁框架保持一致 ✅ **聚焦合规** - CIS、SOC 2、Azure 安全标准 ✅ **认证备考** - SC-200 和 Azure Security 考试备考 ✅ **社区驱动** - 欢迎贡献 ✅ **GitHub Actions** - 自动化测试与验证 ✅ **可在 LinkedIn 分享** - 专业级作品集质量 ## 📁 仓库结构 ``` Azure-Sentinel-SOC-Security-Portfolio/ │ ├── 📂 kql-queries/ # KQL Hunting Queries (20+) │ ├── threat-hunting/ │ │ ├── command_line_exploitation.kql │ │ ├── lateral_movement_detection.kql │ │ ├── privilege_escalation.kql │ │ ├── data_exfiltration.kql │ │ ├── reconnaissance_patterns.kql │ │ └── README.md │ ├── incident-response/ │ │ ├── user_account_investigation.kql │ │ ├── account_timeline.kql │ │ ├── evidence_collection.kql │ │ └── threat_actor_profiling.kql │ ├── detection-rules/ │ │ ├── mitre_attck_mapping.kql │ │ ├── anomalous_authentication.kql │ │ ├── network_exploitation.kql │ │ └── persistence_techniques.kql │ └── README.md │ ├── 📂 detection-engineering/ # Detection Rules & Configurations │ ├── alert-rules/ │ │ ├── critical_alerts.json │ │ ├── high_priority_alerts.json │ │ └── incident_rules.yaml │ ├── detection-templates/ │ │ ├── rule_template.json │ │ └── validation_schema.json │ └── README.md │ ├── 📂 automation-scripts/ # Python Automation │ ├── incident-response/ │ │ ├── ir_automation.py │ │ ├── evidence_collector.py │ │ └── timeline_builder.py │ ├── log-analysis/ │ │ ├── sentinel_log_parser.py │ │ ├── threat_enrichment.py │ │ └── anomaly_detector.py │ ├── compliance/ │ │ ├── cis_scanner.py │ │ └── compliance_reporter.py │ ├── requirements.txt │ └── README.md │ ├── 📂 azure-infrastructure/ # Terraform & Azure Policy │ ├── terraform/ │ │ ├── main.tf │ │ ├── network_security.tf │ │ ├── rbac_policies.tf │ │ ├── sentinel_setup.tf │ │ └── variables.tf │ ├── azure-policies/ │ │ ├── cis_benchmarks.json │ │ ├── compliance_policies.json │ │ └── security_policies.json │ └── README.md │ ├── 📂 incident-response-playbooks/ # IR Workflows │ ├── ransomware_investigation.md │ ├── lateral_movement_response.md │ ├── data_breach_playbook.md │ ├── insider_threat_response.md │ └── playbook_template.md │ ├── 📂 sc200-certification/ # Exam Preparation │ ├── study-guide.md │ ├── sentinel-configuration.md │ ├── defender-xdr-guide.md │ ├── azure-security-best-practices.md │ ├── exam-checklist.md │ └── resources.md │ ├── 📂 case-studies/ # Real-World Scenarios │ ├── ransomware_case_study.md │ ├── apt_investigation.md │ ├── insider_threat_case.md │ └── breach_timeline.md │ ├── 📂 documentation/ # Architecture & Guides │ ├── architecture.md │ ├── setup-guide.md │ ├── best-practices.md │ ├── query-documentation.md │ └── troubleshooting.md │ ├── 📂 .github/ │ ├── workflows/ │ │ ├── kql-validation.yml │ │ └── security-scan.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── query_request.md │ └── pull_request_template.md │ ├── LICENSE ├── CONTRIBUTING.md └── .gitignore ``` ## 🔍 KQL Hunting Queries 包含 **20+ 生产就绪的 Kusto Query Language (KQL) 查询**，用于威胁狩猎和事件调查。 ### 查询分类 #### 1️⃣ **Threat Hunting** - 命令行漏洞利用模式 - 横向移动检测 - 权限提升技术 - 数据泄露指标 - 侦察活动 #### 2️⃣ **检测规则** - MITRE ATT&CK 映射查询 - 异常身份验证模式 - 网络漏洞利用尝试 - 持久化机制检测 #### 3️⃣ **Incident Response** - 用户账户调查 - 账户时间线重建 - 证据收集查询 - 威胁行为者画像 ### 示例：通过管理共享检测横向移动 ``` // Detects attempts to access administrative shares (C$, Admin$) // Indicators of lateral movement in the network SecurityEvent | where EventID in (4688, 5140) | where Process has_any ("net.exe", "cmd.exe") or CommandLine has_any ("\\\\*\\admin$", "\\\\*\\c$") | extend AccountName = split(Account, "\\")[1] | summarize AccessCount = count(), FirstAccess = min(TimeGenerated), LastAccess = max(TimeGenerated) by Account, Computer, Process, CommandLine | where AccessCount > 2 | sort by AccessCount desc ``` [📖 完整 KQL 查询文档](kql-queries/README.md) ## 🎯 Detection Engineering 自定义检测规则和告警配置，对齐以下标准： - ✅ MITRE ATT&CK Framework - ✅ CIS Benchmarks - ✅ 微软安全最佳实践 - ✅ 真实威胁模式 ### 告警规则示例 ``` { "name": "High Severity Authentication Failure", "description": "Detects multiple failed authentication attempts", "severity": "High", "mitre_attck": ["T1110.001"], "query": "SecurityEvent | where EventID == 4625 | summarize count() by Account", "threshold": 5, "time_window_minutes": 5 } ``` [📖 Detection Engineering 指南](detection-engineering/README.md) ## 🤖 自动化脚本 **Python 脚本**，适用于： - Incident Response 自动化 - 日志分析与富化 - 威胁指标处理 - 合规性扫描 - Azure Sentinel API 集成 ### 示例：检索高严重性事件 ``` from azure.monitor.query import LogsQueryClient from azure.identity import DefaultAzureCredential credential = DefaultAzureCredential() client = LogsQueryClient(credential) query = """ SecurityAlert | where AlertSeverity == "High" | where TimeGenerated > ago(7d) | summarize AlertCount = count() by AlertName, SourceComputerID | sort by AlertCount desc """ results = client.query_workspace(workspace_id, query) for row in results.tables[0].rows: print(f"Alert: {row[0]}, Count: {row[1]}") ``` [📖 自动化脚本指南](automation-scripts/README.md) ## 🏗️ Azure 安全基础设施 **Terraform 模板**，用于构建安全的 Azure 基础设施： - 网络隔离 - RBAC 配置 - Sentinel 部署 - Defender 设置 - 合规性实施 ### 示例：部署 Sentinel Workspace ``` resource "azurerm_log_analytics_workspace" "sentinel" { name = "soc-sentinel-workspace" location = var.location resource_group_name = azurerm_resource_group.security.name sku = "PerGB2018" retention_in_days = 90 tags = { Environment = "Production" Purpose = "Security Operations" } } resource "azurerm_sentinel_log_analytics_workspace_onboarding" "example" { resource_group_name = azurerm_resource_group.security.name workspace_name = azurerm_log_analytics_workspace.sentinel.name } ``` [📖 基础设施指南](azure-infrastructure/README.md) ## 🚀 新手入门 ### 前置条件 - ✅ 已启用 Sentinel 的 Azure 订阅 - ✅ PowerShell 或 Azure CLI - ✅ Python 3.9+ - ✅ Terraform (用于基础设施) - ✅ Git ### 快速设置 ``` # Clone 仓库 git clone https://github.com/Anujdev67/Azure-Sentinel-SOC-Security-Portfolio.git cd Azure-Sentinel-SOC-Security-Portfolio # 安装 Python 依赖 pip install -r automation-scripts/requirements.txt # 部署基础设施（可选） cd azure-infrastructure/terraform terraform init terraform plan terraform apply ``` [📖 完整设置指南](documentation/setup-guide.md) ## 📚 SC-200 认证指南 **Microsoft SC-200: Security Operations Analyst** 的完整学习资料： - ✅ Sentinel 配置与管理 - ✅ Defender XDR 威胁狩猎 - ✅ Azure 安全架构 - ✅ 事件调查工作流 - ✅ SIEM 部署最佳实践 - ✅ 考试备考清单 - ✅ 模拟考试题 - ✅ 资源链接 ### 涵盖的考试主题 1. **使用 Microsoft Sentinel 缓解威胁** (40-50%) 2. **管理 SIEM 和 XDR 安全运营** (50-60%) - 部署和配置 Sentinel - 狩猎与调查 - 威胁分析 [📖 SC-200 学习指南](sc200-certification/study-guide.md) ## 🚨 Incident Response Playbooks 适用于以下场景的真实 playbook： - 🔴 **勒索软件调查** - 检测、遏制、恢复 - 🟡 **横向移动响应** - 追踪攻击者移动轨迹，隔离系统 - 🟠 **数据泄露处理** - 确定范围，保留证据 - 🔵 **内部威胁调查** - 检测与调查工作流 每个 playbook 包含： - 检测查询 - 调查步骤 - 遏制程序 - 证据收集 - 恢复程序 [📖 Incident Response Playbooks](incident-response-playbooks/README.md) ## 📊 案例研究 真实安全场景： 1. **勒索软件调查** - 攻击媒介分析 - 横向移动追踪 - 加密时间线 - 恢复程序 2. **APT 活动分析** - 多阶段攻击时间线 - 持久化机制 - 命令与控制 (C2) 检测 - 归因指标 3. **内部威胁检测** - 异常行为模式 - 数据泄露指标 - 调查工作流 - 遏制策略 4. **泄露时间线重建** - 初始攻陷 - 权限提升 - 横向移动 - 影响评估 [📖 案例研究](case-studies/README.md) ## 📋 使用场景 - 🛡️ SOC Analyst 岗位准备 - 🔍 威胁狩猎行动 - 📊 SIEM 管理 - 🚨 Incident Response 自动化 - 🏗️ Azure 安全加固 - 📚 认证学习 (SC-200, Azure Security) - 🎓 安全培训与指导 - 💼 构建面试作品集 ## 📝 许可证 本项目基于 MIT 许可证授权 - 详情请参阅 [LICENSE](LICENSE) 文件。 ### LinkedIn 发布模板 ``` 🛡️ Just created a comprehensive Azure Sentinel & SOC Security Portfolio! Includes: ✅ 20+ KQL threat hunting queries ✅ Detection engineering rules ✅ Python automation scripts ✅ Terraform infrastructure templates ✅ SC-200 exam study materials ✅ Real-world incident response playbooks Perfect for SOC Analysts, Threat Hunters, and Security Engineers. Check it out: [Your GitHub Link] #CyberSecurity #AzureSecurity #SOC #ThreatHunting #Detection ``` ## 🔐 安全免责声明 提供的这些查询和脚本仅用于**教育和授权的安全测试目的**。在您的环境中运行任何查询或脚本之前，请确保您已获得适当的授权。 ## 📚 相关资源 - [Microsoft Sentinel 文档](https://learn.microsoft.com/en-us/azure/sentinel/) - [KQL 语言参考](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) - [MITRE ATT&CK Framework](https://attack.mitre.org/) - [CIS Azure Benchmarks](https://www.cisecurity.org/benchmark/azure) - [SC-200 认证](https://learn.microsoft.com/en-us/certifications/security-operations-analyst/) - [Microsoft Defender XDR](https://learn.microsoft.com/en-us/defender-xdr/) - [Azure 安全最佳实践](https://learn.microsoft.com/en-us/azure/security/) **最后更新**：2026 年 6 月 | **版本**：1.0.0 | **维护者**：Security Operations Analyst ## 📊 仓库统计   

标签：Azure Sentinel, ECS, KQL, Python, SC-200认证, SOC分析, Terraform, 无后门, 逆向工具