sentinel-attack
sentinel-attack copied to clipboard
netevert
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Hi everyone, facing issues getting Sysmon threat hunting workbook to work. have installed whitelisting CSV storage files to storage container. from dashboard i am seeing this error " 'project' operator:...
I tested the detection for InstallUtil applocker bypass and found that the original sysmon configuration wasn't able to detect it. The version in this pull request was able to detect...
I had a problem with missing Registry "SetValue" events in most of the Workbook queries, I would only see CreateKey (EventId 12) results. Noticed that the data was present in...
When running post-deployment: https://github.com/BlueTeamLabs/sentinel-attack/wiki/Sysmon-Threat-Hunting-workbook---post-deployment-configuration the ARM template prompts you for your workspace name. However the template uses your workspace name to create a storage account, which only allows lower case...
In Kusto (the underlying database engine used for Sentinel) : for the cases when the full worked is looked up - it is better (perf-wise) to use 'has' instead of...
Hey, Thank you for your effort you've put in this. I deployed the lab with your terraform script but noticed my Workstation could not resolve the custom domain that I've...
hi the default alert rules in sentinel for Threat Intelligence uses the security event 4688 as a source, woudl it be possible to rewrite this rule so i can use...
 There's no technique_id, technique_name or phase_name attributed in Sysmon EventID 22.
don't you guys talk to each other at MS security dev/teams/products or am I missing something here? ;-) awesome work!!! really appriciated!