Sentinel ATT&CK for Microsoft Azure Sentinel
20 July 2022
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK Matrix on Azure Sentinel.
This tool requires tuning and investigative trialling to be truly effective in a production environment.
Overview
Sentinel ATT&CK provides the following tools:
- An ARM template to automatically deploy Sentinel ATT&CK to your Azure environment
- A Sysmon configuration file compatible with Azure Sentinel and mapped to specific ATT&CK techniques
- A Sysmon log parser mapped against the OSSEM data model
- 117 ready-to-use Kusto detection rules covering 156 ATT&CK techniques
- A Sysmon threat hunting workbook inspired by the Threat Hunting App for Splunk to help simplify threat hunts
- A Terraform script to provision a lab to test Sentinel ATT&CK
- Comprehensive guidance to help you use the materials in this repository
Usage
Head over to the WIKI to learn how to deploy and run Sentinel ATT&CK.
A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found here or contact the CRYPTRON Security Blue Team for more details.