cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add sovereign tool stack and integrate ASTRAL/AOC across playbooks

Browse Source 
New document: Sovereign Tool Stack — complete capability map for our
open-source consulting arsenal.

Documents updated:
- sovereign-tool-stack.md (new): Maps Prowler, BloodHound, CISO Assistant,
  Purple Knight/Forest Druid, ASTRAL, and AOC to engagement modules and
  antifragile pillars. Identifies 6 gaps with recommended closes:
  Wazuh+Sysmon (EDR), Shuffle (SOAR), TheHive+Cortex (case management),
  Cartography (cloud asset mapping), Syft+Grype+Trivy (containers),
  Zeek+Suricata (network analysis). Includes per-module tool pairing,
  deployment complexity matrix, and integration architecture.
- m365-e3-hardening.md: Added ASTRAL 'configuration immunity' section
  and AOC audit log integration references
- endpoint-management-entry-vector.md: Added ASTRAL for Intune
  configuration backup and drift detection
- modular-engagements.md: Added ASTRAL and AOC to Module 1/2/3
  deliverables; linked sovereign tool stack
- retained-capability.md: Added AOC and Wazuh to detection engineering
  description
- ai-assisted-tvm.md: Added AOC and Prowler to discovery layer table
- blue-purple-team-foundation.md: Added sovereign tool stack reference
  for open-source SOC architecture
- zero-budget-hardening.md: Linked sovereign tool stack
- README.md + index.md: Added sovereign-tool-stack.md to navigation
This commit is contained in:
Tomas Kracmar
2026-05-09 17:05:18 +02:00
parent 3569cd7c45
commit 2b969af2a8
10 changed files with 434 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
antifragile-consulting/playbooks/m365-e3-hardening.md
View File

@@ -122,6 +122,7 @@ Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
- Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations
- Export for analysis: `Search-UnifiedAuditLog` or use Microsoft Purview Audit (Standard) if available
- **AOC integration**: For clients with AOC deployed, unified audit logs are ingested automatically and correlated with Entra ID sign-in events to surface anomalous admin behaviour without manual PowerShell queries
**Enable Mailbox Auditing**
@@ -187,6 +188,21 @@ E3 includes **Entra ID P1**, which provides robust conditional access: device co
> *"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."*
### Configuration Immunity (ASTRAL)
E3 tenants accumulate hundreds of configuration objects—conditional access policies, Intune profiles, compliance policies, and Exchange transport rules—with no version control. A single accidental deletion or unauthorised change can break authentication or expose data.
**Mitigations within E3**:
- **ASTRAL baseline capture**: Record the state of every M365 configuration object at engagement start
- **Drift detection**: Alert within minutes when policies are created, modified, or deleted outside change windows
- **One-click rollback**: Restore deleted or misconfigured policies without rebuilding from memory
- **Change attribution**: Link every configuration change to the specific admin account and session
**The Strategic Conversation**:
> *"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin, and offers one-click rollback. This is not backup. This is configuration immunity."*
### Close the Email Security Gap (No Defender for Office 365 P2)
EOP anti-phishing is reactive. Safe Links and Safe Attachments are proactive.
@@ -328,5 +344,6 @@ See [Vertical: Banking](../reference/vertical-banking.md) for full regulatory al
*Previous: [Zero-Budget Hardening](zero-budget-hardening.md)*
*Next: [AD and Endpoint Hardening](ad-endpoint-hardening.md)*
*For the complete open-source tool arsenal including ASTRAL and AOC, see [Sovereign Tool Stack](sovereign-tool-stack.md)*
For how Intune deployment becomes the natural entry point for broader security transformation, see [Endpoint Management Entry Vector](endpoint-management-entry-vector.md).