Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/netevert/sentinel-attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
https://github.com/netevert/sentinel-attack
azure azure-sentinel blue-team cybersecurity detection kql logging mitre-attack security-tools siem sysmon sysmon-config terraform-azure threat-hunting workbooks
Last synced: 3 months ago
JSON representation
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
- Host: GitHub
- URL: https://github.com/netevert/sentinel-attack
- Owner: netevert
- License: mit
- Created: 2019-05-30T18:47:36.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2023-09-05T13:51:32.000Z (10 months ago)
- Last Synced: 2024-04-12T04:03:32.778Z (3 months ago)
- Topics: azure, azure-sentinel, blue-team, cybersecurity, detection, kql, logging, mitre-attack, security-tools, siem, sysmon, sysmon-config, terraform-azure, threat-hunting, workbooks
- Language: HCL
- Homepage:
- Size: 43.1 MB
- Stars: 1,037
- Watchers: 71
- Forks: 206
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
- Code of conduct: CODE_OF_CONDUCT.md
Lists
- awesome-threat-detection - Sentinel Attack - A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework (Tools)
- awesome-rainmana - netevert/sentinel-attack - Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK (HCL)
README
[![GitHub release](https://img.shields.io/github/release/BlueTeamLabs/sentinel-attack.svg?style=flat-square)](https://github.com/BlueTeamLabs/sentinel-attack/releases)
[![Maintenance](https://img.shields.io/maintenance/yes/2023.svg?style=flat-square)]()
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
[![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)
[![](https://img.shields.io/badge/Official%20Azure%20Sentinel%20workbook-grey?style=flat-square&logo=microsoft-azure)](https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SysmonThreatHunting.json)[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FBlueTeamLabs%2Fsentinel-attack%2Fmaster%2Fazuredeploy.json)
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.
**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.
![demo](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/docs/demo.gif)
### Overview
Sentinel ATT&CK provides the following tools:
- An [ARM template](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/azuredeploy.json) to automatically deploy Sentinel ATT&CK to your Azure environment
- A [Sysmon configuration file](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/sysmonconfig.xml) compatible with Azure Sentinel and mapped to specific ATT&CK techniques
- A [Sysmon log parser](https://github.com/BlueTeamToolkit/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/Cyb3rWard0g/OSSEM) data model
- 117 ready-to-use Kusto [detection rules](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/detections) covering 156 ATT&CK techniques
- A [Sysmon threat hunting workbook](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/hunting) inspired by the [Threat Hunting App](https://splunkbase.splunk.com/app/4305/) for Splunk to help simplify threat hunts
- A [Terraform](https://www.terraform.io/) script to provision a lab to test Sentinel ATT&CK
- Comprehensive guidance to help you use the materials in this repository### Usage
Head over to the [WIKI](https://github.com/BlueTeamLabs/sentinel-attack/wiki) to learn how to deploy and run Sentinel ATT&CK.A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/BlueTeamToolkit/sentinel-attack/tree/master/docs/DEFCON_attacking_the_sentinel.pdf).
### Contributing
As this repository is constantly being updated and worked on, if you spot any problems we warmly welcome pull requests or submissions on the issue tracker.### Authors and contributors
Sentinel ATT&CK is built with ❤ by:
- Edoardo Gerosa
[![Twitter Follow](https://img.shields.io/twitter/follow/netevert.svg?style=social)](https://twitter.com/netevert)Special thanks go to the following contributors:
- Olaf Hartong
[![Twitter Follow](https://img.shields.io/twitter/follow/olafhartong.svg?style=social)](https://twitter.com/olafhartong)
- Ashwin Patil
[![Twitter Follow](https://img.shields.io/twitter/follow/ashwinpatil.svg?style=social)](https://twitter.com/ashwinpatil)
- Mor Shabi
[![Twitter Follow](https://img.shields.io/twitter/follow/Mor44574618.svg?style=social)](https://twitter.com/Mor44574618)
- [Adrian Corona](https://github.com/temores)