Thanks Josh! Great stuff here... For my particular use case, sysmon will log to the SYSTEM eventlog and enable me to capture more in-depth information beyond the image name of the executables being launched on the system.
I'll implement this next week! -Brent On Friday, March 27, 2015 at 6:29:03 AM UTC-7, DefensiveDepth wrote: > > Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level > Capabilities > <http://defensivedepth.com/2015/03/27/using-sysmon-to-enrich-security-onions-host-level-capabilities/> > > Of particular note, I wrote an OSSEC decoder and a number of rules for > Sysmon Event ID 1: Process Created... > > They can be found on Github > <https://github.com/defensivedepth/Sysmon_OSSEC>... Feel free to tweak, > contribute back, send feedback, etc > > Keep in mind that there may be issues with the current stable release > (2.8) as the <eventchannel> bug is unfixed-- > > I believe the bug fix is slated to be released with 2.9...( > https://github.com/ossec/ossec-hids/issues/224) > > -Josh > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
