Using SCOM to Capture Suspicious Process Creation Events

I recently had the privilege of chatting with Greg Cottingham on the Azure Security Center Analyst Team about process creation events and how to use them to detect anomalous events that need to be investigated.  It was a very interesting discussion and I was given a few real world examples of how the bad guys…

0

Windows Event Collector Discovery Management Pack

This is a management pack I wrote for the SCOM security MP.  If you have Windows Event Collector’s setup in your network, this will discover them and populate a class for you to monitor them.  It is worth noting that it discovers the running service.  That service is disabled by default, so I’m assuming if…

0

Breaking apart the GPO Modification Process and Using SCOM to Detect GPO Changes – Part 1

  A while back a colleague of mine introduce me to some work done by two other colleagues which involved using SCOM to alert against changes made to GPOs.  First, Jan Varšavský wrote the framework for SCOM 2007 which was later updated by Nathan Olmstead.  Andres Naranjo took this a step further writing a composite…

0