What the log?! So many events, so little time…
2019-10-23, 14:00–14:45, Europe

Detecting adversaries is not always easy. Especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques.

Join me to find out how to match Windows Event Log IDs with the MITRE ATT&CK framework and methods to simplify the detection in your environment.

I will present my OpenSource EventList tool with which one is able to:
- Import either MSFT Baselines or custom GPOs
- Find out immediately which Events are being generated and what MITRE ATT&CK techniques are being covered by the selected Baseline/GPO
- Choose MITRE ATT&CK techniques and generate GPOs to generate the events needed for detection
- Generate Agent Forwarder Configs to only cover the events needed for the detection (avoid being "Log spammed")
- Generate Queries to detect the chosen MITRE ATT&CK techniques, regardless of the SIEM solution used