Collection and Analysis of Sysmon data with Splunk

London, UK ā€“ April 25, 2017 ā€“ SOC Prime, Inc. presents a new content for Splunk in Use Case Library ā€“ SysMon Integration Framework Basic. System Monitor (SysMon) is a great tool for Microsoft Windows that monitors and logs system activity to the event log. SysMon provides complete information on network connections, new processes, changes to file creation time and so on. You can flexibly configure Sysmon to log all the key events in detail and analyze collected information with your SIEM to detect any signs of malware or abnormal activity.

SysMon Integration Framework Basic allows you to perform multiple security checks based on Sysmon data. With this Use Case you can quickly detect the usage of the long commands (this can be an attempt to hide malicious code) or rapid creation of large number of new files that may be the result of Ransomware activity or the evidence of the data leakage. It allows you to find anomalies in the system (different files with the same hashes or abnormal executable files), and provides full information about non-browsers executable files with direct connections to Internet as well.