iVanny11-tech/soc-lab-microsoft-sentinel

GitHub: iVanny11-tech/soc-lab-microsoft-sentinel

基于微软Sentinel、Defender XDR和Entra ID Protection构建的企业SOC模拟实验室,用于安全运营培训、攻击检测演练及SC-200考试备考。

Stars: 0 | Forks: 0

# Project ATLAS — SOC 一级/二级模拟 **租户:** VANPASSSC200.onmicrosoft.com **持续时间:** 2026 年 6 月 27 日 – 7 月 5 日 **平台:** Microsoft Sentinel · Entra ID P2 · Microsoft Defender XDR · Azure Arc · Sysmon · Kali Linux **考试对齐:** SC-200 (Microsoft Security Operations Analyst) ## 架构 ``` ┌─────────────────────────────────────────────────────────────┐ │ MacBook Air M4 (Host) │ │ │ │ ┌──────────────────┐ NAT ┌──────────────────────┐ │ │ │ Kali Linux │◄──────────►│ Windows 11 ARM64 │ │ │ │ ARM64 (Attacker)│ 10.0.2.2 │ DESKTOP-TRF9U79 │ │ │ │ 10.0.2.15 │ :33389 │ (Victim) │ │ │ └──────────────────┘ │ Sysmon v15 + AMA │ │ │ │ Azure Arc connected │ │ │ └──────────┬───────────┘ │ └─────────────────────────────────────────────┼───────────────┘ │ AMA → DCR ▼ ┌───────────────────────────┐ │ Microsoft Azure │ │ law-soc-atlas (Sentinel) │ │ rg-soc-atlas │ │ East US │ └───────────────────────────┘ │ ┌───────────────▼───────────┐ │ Microsoft Entra ID P2 │ │ VANPASSSC200 Tenant │ │ Identity Protection │ │ Conditional Access │ └───────────────────────────┘ ``` ## 项目结构 ``` SOC PROJECTS/ ├── README.md ← You are here ├── Day-2-Session-Log-2026-06-27.pdf ← Detection Engineering ├── Day-3-Session-Log-2026-07-04.pdf ← Attack Simulation ├── Day-4-Session-Log-2026-07-05.pdf ← Investigation & Containment ├── Day-5-Final-Report-2026-07-05.pdf ← Final Incident Report ├── Post-Incident-Review.pdf ← PIR + Root Cause Analysis ├── Threat-Hunt-Report.pdf ← Proactive Hunting Findings ├── Escalation-and-SOAR-Playbook.pdf ← Tier 1→2 Escalation + Automation ├── Post-Incident-Review.md ├── Threat-Hunt-Report.md ├── Escalation-and-SOAR-Playbook.md ├── kql/ │ ├── hunt-brute-force-4625.kql │ ├── hunt-encoded-powershell.kql │ ├── hunt-tor-anonymous-ip.kql │ └── telemetry-gap-check.kql └── attack-navigator/ └── atlas-attack-layer.json ← ATT&CK Navigator heatmap ``` ## 模拟的攻击链 | # | 技术 | ID | 工具 | 检测源 | |---|-----------|-----|------|-----------------| | 1 | 暴力破解:密码猜测 | T1110.001 | Hydra (rdp://) | SecurityEvent EID 4625 | | 2 | PowerShell 执行 + 混淆 | T1059.001 + T1027 | powershell -enc | Sysmon EID 1 (Event 表) | | 3 | 鱼叉式网络钓鱼链接 | T1566.002 | M365 攻击模拟训练 | 攻击模拟报告 | | 4 | 有效账户:云 | T1078.004 | soc-tor-test 凭据 | Entra ID Protection | | 5 | 多跳代理 | T1090.003 | Tor 浏览器 | 匿名 IP 地址 (ML) | ## 构建的检测规则 (Microsoft Sentinel KQL) ###
标签:Microsoft Sentinel, SOAR, SOC模拟, 安全运营中心, 微软Defender, 红队行动, 网络映射