Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.
It provides a Sysmon log parser mapped against the OSSEM data model and compatible with the Sysmon Modular XML configuration file.
DISCLAIMER: This tool requires tuning and investigative trialling to be truly effective in a production environment.
To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named Sysmon.
A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found here and here.
This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.
Sentinel ATT&CK is built with ❤ by:
- Edoardo Gerosa
Special thanks go to the following contributors:
- Olaf Hartong
- Ashwin Patil
- Mor Shabi
- Adrian Corona
