Improving your detection with Sysmon, Sigma & ELK

Before Starting

Benefits of SIGMA

Sysmon primer

Logzio (Hosted ELK to make life easy)

Logz.io homepage
Instructions to install Sysmon logging to Logz.io

Generating data to write rules from

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Writing the rules

Invoke-AtomicTest [TacticNumber] -ShowDetailsBrief

Twitter: @mikecybersec