Repository of sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework
|size (curr.)||34668 kB|
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.
DISCLAIMER: This tool is not a magic bullet. It will require tuning and real investigative work to be truly effective in your environment.
Sentinel ATT&CK provides the following set of tools:
- A Sysmon configuration file compatible with Azure Sentinel and mapped to specific ATT&CK techniques
- A Sysmon log parser mapped against the OSSEM data model
- A dashboard providing an overview of ATT&CK techniques executed on your Azure environment
- 117 ready-to-use Kusto detection rules covering 156 ATT&CK techniques
- A Hunting Jupyter notebook to assist with process drill-downs
- Azure threat hunting workbooks inspired by the Threat Hunting App for Splunk to help simplify your threat hunts
- A Terraform script to provision a lab to test Sentinel ATT&CK
- Comprehensive guides to help you use the materials in this repository
Head over to the WIKI to learn how to deploy and run Sentinel ATT&CK.
As this repository is constantly being updated and worked on, if you spot any problems we warmly welcome pull requests or submissions on the issue tracker.
Authors and contributors
Sentinel ATT&CK is built with ❤ by:
Special thanks go to the following contributors:
- Olaf Hartong
- Ashwin Patil
- Mor Shabi
- Adrian Corona