Using Sysmon To Enrich Security Onion’s Host-Level Capabilities

SANS recently accepted my GCFA Gold paper, Using Sysmon To Enrich Security Onion’s Host-Level Capabilities. The abstract is as follows:

With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.

You can find the paper here. [pdf]

You can also find the ELSA Parsers, as well as the OSSEC decoder and rulesets that I wrote, on Github.

In the next month, I will be breaking up some key parts of the paper into a number of blog posts.

-Josh

Tagged , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s