Awesome DFIR - Digital Forensics & Incident Response 

Sysmon DFIR

SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon. SysmonSearch uses Elasticserach and Kibana (and Kibana plugin). Elasticserach Elasticsearch collects/stores Sysmon's event log. Kibana Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin.

JPCERTCC/SysmonSearch

Site

In this blog series, I will talk about my endpoint detection stack focused on Windows environments and mostly based on Sysmon. I feel I need to fire some form of disclaimer; This series of posts are not a silver bullet. It will require tuning and real work to be truly effective in your environment.

Endpoint detection Superpowers on the cheap - part 1

The source code and latest release are both available. Sysmon and windows event log are both extremely powerful tools in a defender's arsenal. Their very flexible configurations give them a great insight into the activity on endpoints, making the process of detecting attackers a lot easier. It's for this reason

Sysmon DFIR

Endpoint detection Superpowers on the cheap - part 1

Universally Evading Sysmon and ETW

JPCERTCC/SysmonSearch