Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.
DISCLAIMER: This tool is not a magic bullet. It will require tuning and real investigative work to be truly effective in your environment.
Overview
Sentinel ATT&CK provides the following:
- A dashboard to monitor execution of ATT&CK techniques
- A Sysmon configuration file mapped to specific ATT&CK techniques
- A Sysmon log parser mapped against the OSSEM data model
- 119 Kusto detection rules mapped against ATT&CK
- A Terraform script to provision a Sentinel ATT&CK test lab in Azure
- Hunting Jupyter notebooks and Azure workbooks to assist with process drill-down
- Guides to help you leverage the materials in this repository
Usage
Head over to the getting started guide to install Sentinel ATT&CK.
A copy of the DEF CON 27 presentation introducing Sentinel ATT&CK can be found here.
ATT&CK coverage
Sentinel ATT&CK's detection rules cover a total of 156 ATT&CK techniques:
Contributing
As this repository is constantly being updated and worked on, if you spot any problems we warmly welcome pull requests or submissions on the issue tracker.