[
]()
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.
It provides a Sysmon log parser mapped against the OSSEM data model and compatible with the Sysmon Modular XML configuration file.
DISCLAIMER: This tool requires tuning and investigative trialling to be truly effective in a production environment.
Usage
To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named Sysmon.
A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found here and here.
Contributing
This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.
Authors and contributors
Sentinel ATT&CK is built with ❤ by:
- Edoardo Gerosa
Special thanks go to the following contributors:
- Olaf Hartong
- Ashwin Patil
- Mor Shabi
- Adrian Corona