Talk With an Expert

Using Sysmon to Enrich Security Onion's Host-Level Capabilities

Using Sysmon to Enrich Security Onion's Host-Level Capabilities (PDF, 2.90MB)Published: 27 Mar, 2015
Created by
Josh Brower

With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.