Endpoint detection Superpowers on the cheap - part 1
In this blog series, I will talk about my endpoint detection stack focused on Windows environments and mostly based on Sysmon. I feel I need to fire some form of disclaimer; This series of posts are not a silver bullet. It will require tuning and real work to be truly effective in your environment.
Universally Evading Sysmon and ETW
The source code and latest release are both available. Sysmon and windows event log are both extremely powerful tools in a defender's arsenal. Their very flexible configurations give them a great insight into the activity on endpoints, making the process of detecting attackers a lot easier. It's for this reason
- SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon.
SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon. SysmonSearch uses Elasticserach and Kibana (and Kibana plugin). Elasticserach Elasticsearch collects/stores Sysmon's event log. Kibana Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin.