Hunting with Sysmon
Michael Haag
104

Great stuff Michael — always nice to see more public discussion of using Splunk to hunt through your Sysmon output. You mention building a data model for your app…I will point out that if you use our Sysmon TA the data will be ingested against the Application State datamodel in the Splunk Common Information Model — so that is a start. Also note — we’ve been discussing the use of Sysmon at our yearly .conf for the past two years in our “Splunking the Endpoint” sessions. See https://conf.splunk.com/session/2015/conf2015_Jbrodsky_Splunk_SecurityComplinace_SplunkingTheEndpoint_FINAL.pdf for the 2015 one, and then see https://conf.splunk.com/files/2016/slides/splunking-the-endpoint-hands-on.pdf.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.