Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
In this article Dimitris Margaritis talks about how to detect malicious activity via analysis of Endpoint Logs with Splunk.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time [1].
Sysmon log contains information which can be analyzed to detect modern attacks that bypass traditional detection tools. Mark Russinovich did a presentation at RSA 2016 about sysmon, its EventIDs and explained how sysmon can be used to detect malware. [2]
Sysmon Events should be sent to Log Management System e.g Spunk, Elastic Search for analysis and there are few ways to do it e.g build-in WEF capability of Windows or an agent on endpoint like Splunk Universal Forwarder [3,4].
The main challenges in centralizing and analyzing sysmon logs are the management of the volume and the filtering of the noise. This is very important for big networks (>10.000 hosts) especially when the licensing of the log management system is based on indexed volume like in Splunk.
Sysmon logs are a part of endpoints logs that must be analyzed and other sources include specific events from the security log, EMET log and PowerShell version 5 logs. It should be noted that how Sysmon data can be used and what detection rules can be developed depends on other security tools and policies that exist on a given network e.g A correlation rule can be developed to alert for malicious attachments that entered a network and an alarm raised by a network IDS without further information if finally at the endpoint the attachment was opened or not. A malicious attachment can be blocked by AV on Email gateway or on email server or on the endpoint or by user awareness.Full command line of Acrobat and Office executables in sysmon EventID 1 can be used to see if a malicious attachment was finally opened.
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now