Blog

Announcing the Gravwell Sysmon Kit

Mar 10, 2021 8:22:53 AM / by Kris Watts posted in EventLog, Windows, Security, kits, Sysmon, DNS

We are pleased to announce the immediate availability of the Gravwell Sysmon kit.  This kit is designed to get you started quickly with Sysmon data and demonstrate the art of the possible.  This post will cover the basic contents of the kit and then we will perform a quick investigation of a process that probably shouldn't be running on a corporate machine.

Read More

What's in a Sysmon Event Pt. 2 - Network Connections

Oct 9, 2020 9:00:50 AM / by Corey Thuen posted in Windows, Sysmon

We're building a Gravwell Kit for Sysmon! This blog series examines some of the event types that Sysmon generates to see what data they contain, opportunities for enhancing security, and example queries with Gravwell. Part 1 covered the Process Creation event type. In part 2 we jump into: Network Connection events!

Read More

What's in a Sysmon Event Pt. 1 - Process creation

Sep 3, 2020 1:09:02 PM / by Corey Thuen posted in Windows, Sysmon

I'm building a Gravwell Kit for Sysmon! This blog series follows the development of that kit for the awesome (free) sensor for Windows EDR, Sysmon. In this series we'll look at each event type that Sysmon generates to see what data it contains, opportunities for enhancing security, and example queries with Gravwell.

Read More

Windows DNS threat hunting with Sysmon and Gravwell

Jun 20, 2019 8:38:00 AM / by Corey Thuen posted in Data Fusion, Microsoft, Windows, Logging, Security, Community Edition, Sysmon

This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for Windows events. If you've ever tried to set up Windows DNS logging before, you understand how awesome this is. This post is all about the new functionality and how to make use of it in Gravwell.

Read More