SANS recently accepted my GCFA Gold paper, Using Sysmon To Enrich Security Onion’s Host-Level Capabilities. The abstract is as follows:
With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.
You can find the paper here. [pdf]
You can also find the ELSA Parsers, as well as the OSSEC decoder and rulesets that I wrote, on Github.
In the next month, I will be breaking up some key parts of the paper into a number of blog posts.
-Josh
Defensive Depth 