{"id":13453766,"url":"https://github.com/netevert/sentinel-attack","last_synced_at":"2025-05-16T07:05:03.568Z","repository":{"id":37333764,"uuid":"189465668","full_name":"netevert/sentinel-attack","owner":"netevert","description":"Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT\u0026CK","archived":false,"fork":false,"pushed_at":"2023-09-05T13:51:32.000Z","size":45183,"stargazers_count":1056,"open_issues_count":12,"forks_count":207,"subscribers_count":71,"default_branch":"master","last_synced_at":"2024-10-29T22:32:58.526Z","etag":null,"topics":["azure","azure-sentinel","blue-team","cybersecurity","detection","kql","logging","mitre-attack","security-tools","siem","sysmon","sysmon-config","terraform-azure","threat-hunting","workbooks"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/netevert.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-05-30T18:47:36.000Z","updated_at":"2024-10-21T12:08:13.000Z","dependencies_parsed_at":"2024-04-17T16:12:54.957Z","dependency_job_id":null,"html_url":"https://github.com/netevert/sentinel-attack","commit_stats":null,"previous_names":["blueteamlabs/sentinel-attack"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netevert%2Fsentinel-attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netevert%2Fsentinel-attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netevert%2Fsentinel-attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netevert%2Fsentinel-attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/netevert","download_url":"https://codeload.github.com/netevert/sentinel-attack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254485056,"owners_count":22078767,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-sentinel","blue-team","cybersecurity","detection","kql","logging","mitre-attack","security-tools","siem","sysmon","sysmon-config","terraform-azure","threat-hunting","workbooks"],"created_at":"2024-07-31T08:00:46.860Z","updated_at":"2025-05-16T07:04:58.554Z","avatar_url":"https://github.com/netevert.png","language":"HCL","funding_links":[],"categories":["Threat Detection and Hunting","Others"],"sub_categories":["Tools"],"readme":"[![GitHub release](https://img.shields.io/github/v/release/netevert/sentinel-attack.svg?style=flat-square)](https://github.com/netevert/sentinel-attack/releases)\n[![Maintenance](https://img.shields.io/maintenance/yes/2024.svg?style=flat-square)]()\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)\n[![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)\n\nSentinel ATT\u0026CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT\u0026CK](https://attack.mitre.org/) on Azure Sentinel.\n\nIt provides a [Sysmon log parser](https://github.com/netevert/sentinel-attack/blob/master/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/OTRF/OSSEM) data model and compatible with the [Sysmon Modular XML configuration file](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml).\n\n**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.\n\n### Usage\nTo use the Sentinel-ATT\u0026CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named `Sysmon`.\n\nA copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT\u0026CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/netevert/sentinel-attack/blob/master/docs/DEFCON_attacking_the_sentinel.pdf).\n\n### Contributing\nThis repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.\n\n### Authors and contributors\nSentinel ATT\u0026CK is built with ❤ by:\n- Edoardo Gerosa \n[![Twitter Follow](https://img.shields.io/twitter/follow/edoardogerosa.svg?style=social)](https://twitter.com/edoardogerosa)\n\nSpecial thanks go to the following contributors:\n\n- Olaf Hartong\n[![Twitter Follow](https://img.shields.io/twitter/follow/olafhartong.svg?style=social)](https://twitter.com/olafhartong) \n- Ashwin Patil\n[![Twitter Follow](https://img.shields.io/twitter/follow/ashwinpatil.svg?style=social)](https://twitter.com/ashwinpatil)\n- Mor Shabi\n[![Twitter Follow](https://img.shields.io/twitter/follow/Mor44574618.svg?style=social)](https://twitter.com/Mor44574618)\n- [Adrian Corona](https://github.com/temores)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetevert%2Fsentinel-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetevert%2Fsentinel-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetevert%2Fsentinel-attack/lists"}