Sentinel attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and [MITRE ATT&CK](https://attack.mitre.org/) on Azure Sentinel. The project is distributed under the MIT License license, first published in 2019. It has gained significant community traction with 1,077 stars and 202 forks on GitHub. Key topics include: azure, azure-sentinel, blue-team, cybersecurity, detection.
Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.
It provides a Sysmon log parser mapped against the OSSEM data model and compatible with the Sysmon Modular XML configuration file.
DISCLAIMER: This tool requires tuning and investigative trialling to be truly effective in a production environment.
Usage
To use the Sentinel-ATT&CK parser, copy-paste it into your Sentinel Logs blade and store it as a function named Sysmon.
A copy of the DEF CON 27 cloud village presentation introducing Sentinel ATT&CK can be found here and here.
Contributing
This repository is work in progress, if you spot any problems we welcome pull requests or submissions on the issue tracker.
Authors and contributors
Sentinel ATT&CK is built with ❤ by:
- Edoardo Gerosa
Special thanks go to the following contributors:
- Olaf Hartong
- Ashwin Patil
- Mor Shabi
- Adrian Corona
Contributors
Showing top 9 contributors by commit count.
Related Repositories
microsoft/generative-ai-for-beginners
21 Lessons, Get Started Building with Generative AI
bregman-arie/devops-exercises
Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions
danny-avila/LibreChat
Enhanced ChatGPT Clone: Features Agents, MCP, Skills, DeepSeek, Anthropic, AWS, OpenAI, Responses API, Azure, Groq, o1, GPT-5, Mistral, OpenRouter, Vertex AI, Gemini, Artifacts, AI model switching, message search, Code Interpreter, langchain, DALL-E-3, OpenAPI Actions, Functions, Secure Multi-User Auth, Presets, open-source for self-hosting. Active
pulumi/pulumi
Pulumi - Infrastructure as Code in any programming language 🚀
getsops/sops
Simple and flexible tool for managing secrets
milanm/DevOps-Roadmap
DevOps Roadmap for 2026. with learning resources