Configure Endpoint Threat Detection feature for Microsoft Windows
To identify a targeted attack within your Microsoft platforms, you need to have visibility of possible indicators of compromise (IoC) collecting qualified information from endpoints, where most of the targeted attacks are concentrated. SGBox decided to respond to these needs by collecting and integrating specific information generated by Microsoft operating systems.
- SGBox version 4.2.4 with the LM and LCE modules.
- SGBox Agent for Windows.
- Microsoft System Monitor (Sysmon) v.10.4.x (installed as a service); last version available here.
- Sysmon-modular Sysmon configuration file by Olaf Hartong (mapped to the MITRE ATT&CK framework), available here.
Remember that for the suggested configuration file to work, you need to use Sysmon version 10.4 or above.
After installing Sysmon on the endpoints, data is collected in the log management platform in a dedicated class and interpreted through patterns that allow recognition of event categories produced by the Microsoft device driver. The data collected by the service significantly increases Windows audit capabilities, allowing you to gather detailed information about processes, but also about network traffic (such as DNS queries sent by an application).
Information are available on request. Please, contact the support for the ETD package.