Security Monitoring MP AppLocker Rules

  I’ll be honest in that these are included because they are easy to do, but in reality, they do not provide much in terms of protection. Traditional anti-virus works to detect many of these tools, and while an attacker can corrupt AV pretty easily, it’s also just as easy to recompile these tools so…

0

Security Monitoring Management Pack Summary

I’m rewriting the main page for the Security Monitoring MP to be a bit less cluttered.  I will be using this space to document this management pack with a simple link off from there.  I’ll also use this space to document the change log.  As a reminder, this is more than just an import and…

0

Post Configuration Tasks for the Security Monitoring Management Pack

  As I have mentioned in the initial posts, using the security monitoring management pack is going to require certain practices in procedures be in place.  Simply importing the management pack will not give you a picture of everything that it is designed to monitor.  Ultimately, this management pack serves two purposes.  The first is…

0

Potential Areas for Noise in the Security Monitoring Management Pack

I stated that a main purpose of this management pack is to keep noise volume to a minimum.  As such, the bulk of the rules in place that will catch normal business activity are disabled.  That said, testing has revealed some alerts that will generate in certain circumstances.  For various reasons, it was decided to…

0

Event Forwarding and How to Configure it For the Security Monitoring Management Pack

  One of the features that was built into the Security Monitoring Management Pack was the ability to discover and then monitor the contents of the Forwarded Events logs for suspicious activity.  The reality for most external attacks is that the breach usually occurs at the user tier through some sort of phishing attack.  Attackers…

0

Security Monitoring Management Pack GPO Summary

  If you’ve been reading my blog, you’ll note that in order to use SCOM for security monitoring, you’ll need to ensure that certain AD auditing policies are configured.  I’m using this page as a landing page to the GPO requirements for this security monitoring MP, as some of this is not turned on by…

0

Introducing the Security Monitoring Management Pack for SCOM

  For those of you who haven’t met me or visited my blog, I’ve worked in SCOM now for the better part of 5 years.  I’ve also done a lot of work in IT Security.  About a year and a half ago, I was able to attend a training class about the anatomy of a…

2

Using SCOM to Capture Suspicious Process Creation Events

I recently had the privilege of chatting with Greg Cottingham on the Azure Security Center Analyst Team about process creation events and how to use them to detect anomalous events that need to be investigated.  It was a very interesting discussion and I was given a few real world examples of how the bad guys…

0

Windows Event Collector Discovery Management Pack

This is a management pack I wrote for the SCOM security MP.  If you have Windows Event Collector’s setup in your network, this will discover them and populate a class for you to monitor them.  It is worth noting that it discovers the running service.  That service is disabled by default, so I’m assuming if…

0