Hidden Treasure: Intrusion Detection with ETW (Part 2)

In our last post, we discussed how Event Tracing for Windows (ETW) provides a wealth of knowledge in addition to what’s available from the Windows Security Event Log. While we can gain increased insight into Windows activity, ETW was originally meant as a high-volume debug trace. Without some mechanism for filtering or reducing event volume,…


Hidden Treasure: Intrusion Detection with ETW (Part 1)

Today’s defenders face an increasing obstacle with information asymmetry. With the advent of in-memory attacks and targeted malware, defenders cannot simply rely on the default event logs provided by Windows. Attackers may make use of process hollowing to hide their code within a seemingly benign process as well as routing their Command & Control traffic…


Using Office 365 activity data to improve your Cybersecurity stance and capability

Overview and Contents As an Office 365 customer and tenant administrator, you have access to a wide variety of user activity events logged from your Exchange Online, SharePoint Online and Azure Active Directory services. Office 365 provides detailed activity logs that can be acquired and analyzed to facilitate self-service forensic investigations to scope and remediate a…

4