Detecting adversaries is not always easy – especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques. EventList helps to match Windows Event Log IDs with the MITRE ATT&CK framework (and vice-versa) and offers methods to simplify the detection in corporate environments worldwide.
Use the tool presented to:
– Import either MSFT Baselines or custom GPOs
– Find out immediately which Events are being generated and what MITRE ATT&CK techniques are being covered by the selected Baseline/GPO
– Choose MITRE ATT&CK techniques and generate GPOs to generate the events needed for detection
– Generate Agent Forwarder Configs to only cover the events needed for the detection (avoid being “Log spammed”)
– Generate Queries to detect the chosen MITRE ATT&CK techniques, regardless of the SIEM solution used