Home / Companies / Crowdstrike / Blog / Post Details
Content Deep Dive

Parsing Sysmon Events for IR Indicators

Blog post from Crowdstrike

Post Details
Company
Date Published
Author
Microsoft Sysinternals
Word Count
2,579
Company Posts That Month
Language
English
Hacker News Points
-
Post removed?
No
Summary

The blog post discusses the utility of Sysmon, a free endpoint monitoring tool by Microsoft Sysinternals, which is essential for organizations to enhance visibility, logging, and alerting in combating targeted attacks and malware. Sysmon records various system activities such as process creation, network connections, and driver loading, and logs them in a standard Windows event log format, which can be integrated into a SIEM for enterprise use. Though Sysmon can be disabled by attackers and lacks automated alerting, the post offers a detailed guide to automate the review of Sysmon logs using tools like Microsoft Logparser and TekDefense's TekCollect script, allowing for efficient analysis of indicators such as MD5 hashes and IP addresses. The guide emphasizes the importance of routine log analysis, automated keyword searches, and VirusTotal lookups to identify suspicious activities, ultimately aiding in efficient threat hunting and improving security posture.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Agents 1 2,394 1,321 1 -
Zero Trust 1 1,843 1,331 3 +61333%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.