Webcast: Windows logging, Sysmon, and ELK

Click on the timecodes to jump to that part of the video (on YouTube)

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WindowsLogginSysmonELK.pdf

4:36 Problem Statement and Executive Problem Statement
9:00 Short Sysmon review, introduction to ELK, what programs make up ELK, data type and its affect on elasticsearch, answering viewer questions
20:51 Touching on different types of logs, how logstash deals with and imports logs into elasticsearch, Kibana and its uses, notes on how to best use these programs
27:12 Demonstration of HELK
48:34 Touching base on Sigma, future plans for ELK, Q&A and closing thoughts

This webcast was originally recorded live on August 26th, 2019 with John Strand.

In this webcast, we cover how to get Windows events out of Windows into something more useful.

And yes, there will be more griping about how bad Windows logging is. After our great sigh of disappointment, we will move on to how awesome Sysmon is.

Then, we discuss how to get Sysmon into your ELK stack.

We cover HELK (which is pretty awesome) and Winlogbeat. Which, for the record, is cool but possibly the worst named security tool of all time. I mean, it is like a reallllly bad rap name or something.