https://github.com/netevert/sentinel-attack

Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
https://github.com/netevert/sentinel-attack

azure azure-sentinel blue-team cybersecurity detection kql logging mitre-attack security-tools siem sysmon sysmon-config terraform-azure threat-hunting workbooks

Last synced: 4 days ago
JSON representation

Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK

• Host: GitHub
• URL: https://github.com/netevert/sentinel-attack
• Owner: netevert
• License: mit
• Created: 2019-05-30T18:47:36.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2023-09-05T13:51:32.000Z (over 1 year ago)
• Last Synced: 2024-10-29T22:32:58.526Z (about 1 month ago)
• Topics: azure, azure-sentinel, blue-team, cybersecurity, detection, kql, logging, mitre-attack, security-tools, siem, sysmon, sysmon-config, terraform-azure, threat-hunting, workbooks
• Language: HCL
• Homepage:
• Size: 43.1 MB
• Stars: 1,056
• Watchers: 71
• Forks: 207
• Open Issues: 12
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.md
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

• awesome-hacking-lists - netevert/sentinel-attack - Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK (HCL)
• awesome-rainmana - netevert/sentinel-attack - Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK (Others)

README

        
[![GitHub release](https://img.shields.io/github/v/release/netevert/sentinel-attack.svg?style=flat-square)](https://github.com/netevert/sentinel-attack/releases)

[![Maintenance](https://img.shields.io/maintenance/yes/2024.svg?style=flat-square)]()

[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)

[![](https://img.shields.io/badge/2019-DEF%20CON%2027-blueviolet?style=flat-square)](https://2019.cloud-village.org/#talks?olafedoardo)

Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel.

It provides a [Sysmon log parser](https://github.com/netevert/sentinel-attack/blob/master/Sysmon-OSSEM.txt) mapped against the [OSSEM](https://github.com/OTRF/OSSEM) data model and compatible with the [Sysmon Modular XML configuration file](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml).

**DISCLAIMER:** This tool requires tuning and investigative trialling to be truly effective in a production environment.

### Usage

To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named `Sysmon`.

A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found [here](https://2019.cloud-village.org/#talks?olafedoardo) and [here](https://github.com/netevert/sentinel-attack/blob/master/docs/DEFCON_attacking_the_sentinel.pdf).

### Contributing

This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.

### Authors and contributors

Sentinel ATT&CK is built with ❤ by:

- Edoardo Gerosa 

[![Twitter Follow](https://img.shields.io/twitter/follow/edoardogerosa.svg?style=social)](https://twitter.com/edoardogerosa)

Special thanks go to the following contributors:

- Olaf Hartong

[![Twitter Follow](https://img.shields.io/twitter/follow/olafhartong.svg?style=social)](https://twitter.com/olafhartong) 

- Ashwin Patil

[![Twitter Follow](https://img.shields.io/twitter/follow/ashwinpatil.svg?style=social)](https://twitter.com/ashwinpatil)

- Mor Shabi

[![Twitter Follow](https://img.shields.io/twitter/follow/Mor44574618.svg?style=social)](https://twitter.com/Mor44574618)

- [Adrian Corona](https://github.com/temores)