Endpoint detection Superpowers, with Sysmon and Splunk By Olaf Hartong (Falcon Force - NL)
Based on my experience as a blue and purple teamer I wanted to create a workflow toolkit for anyone with access to Splunk to get started with a set of tools that enables them to hit the ground running on a tight budget without compromising on quality.
I will explain the pain of lacking visibility in a common Enterprise environment. I'll introduce how I use the MITRE ATT&CK framework as the foundation of the talk.
Next I'll present my modular Sysmon configuration that covers over 140 ATT&CK techniques.
I will present my hunting app, which contains over 130 searches and over 15 dashboards. Knowledge is power; The workflow has been intentionally built on generic searches to cover all attack variations, to be able to uncover most potentially malicious behavior. The dashboards contain overviews, threat indicators and facilitate consecutive drilldown workflows to help the analyst determine whether this is a threat or not and allow them to whitelist.
FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP
Senior Security Engineer