iVanny11-tech/soc-lab-microsoft-sentinel
GitHub: iVanny11-tech/soc-lab-microsoft-sentinel
基于微软Sentinel、Defender XDR和Entra ID Protection构建的企业SOC模拟实验室,用于安全运营培训、攻击检测演练及SC-200考试备考。
Stars: 0 | Forks: 0
# Project ATLAS — SOC 一级/二级模拟
**租户:** VANPASSSC200.onmicrosoft.com
**持续时间:** 2026 年 6 月 27 日 – 7 月 5 日
**平台:** Microsoft Sentinel · Entra ID P2 · Microsoft Defender XDR · Azure Arc · Sysmon · Kali Linux
**考试对齐:** SC-200 (Microsoft Security Operations Analyst)
## 架构
```
┌─────────────────────────────────────────────────────────────┐
│ MacBook Air M4 (Host) │
│ │
│ ┌──────────────────┐ NAT ┌──────────────────────┐ │
│ │ Kali Linux │◄──────────►│ Windows 11 ARM64 │ │
│ │ ARM64 (Attacker)│ 10.0.2.2 │ DESKTOP-TRF9U79 │ │
│ │ 10.0.2.15 │ :33389 │ (Victim) │ │
│ └──────────────────┘ │ Sysmon v15 + AMA │ │
│ │ Azure Arc connected │ │
│ └──────────┬───────────┘ │
└─────────────────────────────────────────────┼───────────────┘
│ AMA → DCR
▼
┌───────────────────────────┐
│ Microsoft Azure │
│ law-soc-atlas (Sentinel) │
│ rg-soc-atlas │
│ East US │
└───────────────────────────┘
│
┌───────────────▼───────────┐
│ Microsoft Entra ID P2 │
│ VANPASSSC200 Tenant │
│ Identity Protection │
│ Conditional Access │
└───────────────────────────┘
```
## 项目结构
```
SOC PROJECTS/
├── README.md ← You are here
├── Day-2-Session-Log-2026-06-27.pdf ← Detection Engineering
├── Day-3-Session-Log-2026-07-04.pdf ← Attack Simulation
├── Day-4-Session-Log-2026-07-05.pdf ← Investigation & Containment
├── Day-5-Final-Report-2026-07-05.pdf ← Final Incident Report
├── Post-Incident-Review.pdf ← PIR + Root Cause Analysis
├── Threat-Hunt-Report.pdf ← Proactive Hunting Findings
├── Escalation-and-SOAR-Playbook.pdf ← Tier 1→2 Escalation + Automation
├── Post-Incident-Review.md
├── Threat-Hunt-Report.md
├── Escalation-and-SOAR-Playbook.md
├── kql/
│ ├── hunt-brute-force-4625.kql
│ ├── hunt-encoded-powershell.kql
│ ├── hunt-tor-anonymous-ip.kql
│ └── telemetry-gap-check.kql
└── attack-navigator/
└── atlas-attack-layer.json ← ATT&CK Navigator heatmap
```
## 模拟的攻击链
| # | 技术 | ID | 工具 | 检测源 |
|---|-----------|-----|------|-----------------|
| 1 | 暴力破解:密码猜测 | T1110.001 | Hydra (rdp://) | SecurityEvent EID 4625 |
| 2 | PowerShell 执行 + 混淆 | T1059.001 + T1027 | powershell -enc | Sysmon EID 1 (Event 表) |
| 3 | 鱼叉式网络钓鱼链接 | T1566.002 | M365 攻击模拟训练 | 攻击模拟报告 |
| 4 | 有效账户:云 | T1078.004 | soc-tor-test 凭据 | Entra ID Protection |
| 5 | 多跳代理 | T1090.003 | Tor 浏览器 | 匿名 IP 地址 (ML) |
## 构建的检测规则 (Microsoft Sentinel KQL)
###
标签:Microsoft Sentinel, SOAR, SOC模拟, 安全运营中心, 微软Defender, 红队行动, 网络映射