You're reading from Threat Hunting with Elastic Stack Solve complex security challenges with integrated prevention, detection, and response

Product type Paperback

Published in Jul 2021

Publisher Packt

ISBN-13 9781801073783

Length 392 pages

Edition 1st Edition

Tools

Kibana

Concepts

Cybersecurity

Author (1):

Andrew Pease

View More author details

Table of Contents (18) Chapters

Preface

1. Section 1: Introduction to Threat Hunting, Analytical Models, and Hunting Methodologies

2. Chapter 1: Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks FREE CHAPTER

3. Chapter 2: Hunting Concepts, Methodologies, and Techniques

4. Section 2: Leveraging the Elastic Stack for Collection and Analysis

5. Chapter 3: Introduction to the Elastic Stack

6. Chapter 4: Building Your Hunting Lab – Part 1

7. Chapter 5: Building Your Hunting Lab – Part 2

8. Chapter 6: Data Collection with Beats and Elastic Agent

9. Chapter 7: Using Kibana to Explore and Visualize Data

10. Chapter 8: The Elastic Security App

11. Section 3: Operationalizing Threat Hunting

12. Chapter 9: Using Kibana to Pivot Through Data to Find Adversaries

13. Chapter 10: Leveraging Hunting to Inform Operations

14. Chapter 11: Enriching Data to Make Intelligence

15. Chapter 12: Sharing Information and Analysis

16. Assessments

17. Other Books You May Enjoy

Configuring Sysmon for endpoint collection

System Monitor (Sysmon) is a Windows service that collects detailed events on Windows processes, services, operations, and so on. Sysmon is part of Microsoft's Sysinternals project.

Let's download Sysmon, apply a configuration, and run it as a service. First, we need to collect the Sysmon binary, so from the Windows VM, do the following:

Download Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Download SwiftOnSecurity's Sysmon config:
curl -OL https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml

Find the sysmon.zip file that was downloaded, right-click it, and extract it to the c:\Program Files directory.

Open up a terminal window and install Sysmon as a service with the SwiftOnSecurity configuration. Remember you need administrator privileges, so right-click and select Run as administrator when you open Command Prompt (cmd.exe), and then type...