Splunkmon – Taking Sysmon To The Next Level
The success of security teams when combating cyber threats relies on visibility into the environment they must defend. Security teams that do not have visibility into their endpoints may not see a threat actor moving in the environment, stealing credentials, deploying backdoors, or exfiltrating sensitive data. The goal of this white paper is to illustrate how security teams can close the visibility gap into Windows endpoints through the use of the free Sysinternals tool Sysmon1 with Splunk®. Sysmon paired with Splunk can provide near real time visibility and alerting on the common actions targeted threat actors perform during an attack. Additionally, Sysmon paired with Splunk provides an excellent platform to proactively hunt for evidence of compromise in an environment.
This paper will provide the following:
- An Overview of Sysmon
- Tips for Pairing Sysmon with Splunk
- Scenarios showing what threat actors do and how Sysmon records their activity
- Splunk searches for hunting and alerting