Cybersecurity Asset Management, Intrusion detection, Configuration management, Blue Team

Sysmon Endpoint Monitoring: Do You Really Need an EDR?

November 3, 2020
  • Process creation, including these key properties:
    • Computer
    • ProcessId
    • ProcessGuid
    • Image
    • OriginalFileName
    • Description
    • CommandLine
    • User
    • Hashes
    • ParentImage
    • ParentProcessId
    • ParentCommandLine
  • Network creation, including these key properties:
    • Computer
    • Image
    • SourceIp
    • SourceHostname
    • SourcePort
    • DestinationIp
    • DestinationHostname
    • DestinationPort
  • A process changed a file creation time
  • Sysmon service state changed
  • Process terminated
  • Driver loaded
  • Image loaded
  • CreateRemoteThread
  • RawAccessRead
  • ProcessAccess
  • FileCreate
  • RegistryEvent (Object create and delete, Value Set, Key and Value Rename)
  • FileCreateStreamHash
  • ServiceConfigurationChange
  • PipeEvent (Pipe Created, Pipe Connected)
  • WmiEvent (WmiEventFilter activity detected, WmiEventConsumer activity detected, WmiEventConsumerToFilter activity detected)
  • DNSEvent
  • FileDelete
  • Error
prestitial ad