A month ago, Microsoft announced the open-source SimuLand initiative which allows security researchers to deploy lab environments, reproduce attack patterns and techniques, and then test whether tooling such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel can detect adversarial patterns. Researchers can also capture telemetry from these experiments to extend their own research. Now, Microsoft has released a public dataset from the first simulation exercise.
For those curious about how Microsoft generated this dataset, it was a result of collecting the telemetry from running the first simulation activity in the lab guides. The simulation in question is about how attackers can steal the Azure Directory Federated Services (ADFS) token-signing certificate from an on-premises ADFS server and then utilize it to sign a new Security Assertion Markup Language (SAML) token that can be used to access mail data from the Microsoft Graph API.
The dataset is a collection of security events that occurred during the simulation. Some of them can be seen below:
The security logs have been collected through the Microsoft 365 Defender Advanced hunting API and the Azure Log Analytics workspace API. Microsoft says that sharing this dataset will allow researchers to better analyze adversarial scenarios, improve their detection rules, model the chain of events, automate simulation plans, and plan hackathons and challenges internally.
Microsoft has also vowed to release more datasets and add new lab guides. You can find out more about the SimuLand initiative on GitHub here and check out the first SimuLand dataset on the GitHub-powered Security Datasets repository here.