COMMSEC: What the log? So Many Events, So Little Time

This talk will be live streamed on the HITBSecConf Youtube Channel

Detecting adversaries is not always easy – especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques. EventList helps to match Windows Event Log IDs with the MITRE ATT&CK framework (and vice-versa) and offers methods to simplify the detection in corporate environments worldwide.

Use the tool presented to:
– Import either MSFT Baselines or custom GPOs
– Find out immediately which Events are being generated and what MITRE ATT&CK techniques are being covered by the selected Baseline/GPO
– Choose MITRE ATT&CK techniques and generate GPOs to generate the events needed for detection
– Generate Agent Forwarder Configs to only cover the events needed for the detection (avoid being “Log spammed”)
– Generate Queries to detect the chosen MITRE ATT&CK techniques, regardless of the SIEM solution used

Location: Track 4 / CommSec Date: April 24, 2020 Time: 3:00 pm - 3:30 pm Miriam Wiesner