Here is the Library of Sysmon Videos on QRadar that are up on YouTube
Sysmon Introduction (Aug 7,2017)
Sysmon Introduction
Sysmon PoweShell Use Case 1 (Aug 7,2017)
Sysmon: PowerShell Use Case 1
Sysmon PowerShell Use Case 2 (Aug 7,2017)
Sysmon: PowerShell Use Case 2
Sysmon PowerShell
Use Case 3 (Aug 7,2017)
Sysmon: PowerShell Use Case 3 Obfuscation
Sysmon Use Case 4 Bogus Windows Process (Aug 15,2017)
Sysmon Use Case 4 Bogus Windows Processes
Sysmon Use Case 5 Nasty Injection & Encoded Attacks (Aug 15 2017)
Sysmon Use Case 5 Nasty Injection & Encoded Attacks
Sysmon Use Case 6 Detecting other Libraries (Aug 15, 2017)
Sysmon Use Case 6 - Detecting Other Libraries
Sysmon Use Case 7 Privilege escalation Aug 21,2017
QRadar Privilege Escalation Detection Use Case 7
Sysmon Use Case 8 Privilege escalation Cont. Aug 21,2017
QRadar Priviledge Escalation Continued Use Case 8
Sysmon Use Case 9 More Privilege Escalation Detection (Aug 28)
Sysmon Use Case 9 - More Privilege Escalation Detection
Sysmon Use Case 10 Creating an Admin Account (Aug 28,2017)
Sysmon Use Case 10 - Creating an Admin Account
Sysmon Use Case 11 Detecting Name Pipe Impersonation (Aug 31,2017)
Sysmon Detecting Name Pipe Impersonation
Sysmon Use Case 12 Detecting Mimikatz (Aug 31,2017)
Sysmon Detecting Mimikatz
Sysmon Lateral Movement Detection, Example One (Sept 27,2017)
QRadar Lateral Movement Detection, Example One
Sysmon Lateral Movement Detection, Example Two (Oct 4,2017)
QRadar Lateral Movement Detection Example Two
Sysmon Lateral Movement Detection, Example Three (Oct 10 2017)
QRadar Lateral Movement Detection Example Three (Plain Windows Features)
Sysmon WinCollect Stand Alone Install & Config (Aug 7,2017)
Sysmon: WinCollect Stand Alone Install & Config
Sysmon Install & Config (Aug 7,2017)
Sysmon: Install & Config
Sysmon Rules and Funct. Install and Test (Aug 7,2017)
Sysmon AQL Funct + Rules Install & Test
Sysmon Kali (Aug 7,2017)
Sysmon and Kali's mfsvenom
Sysmon Patching is not Enough (Aug 7,2017)
Sysmon: Patching is not Enough
Sysmon Installation Notes (Aug 31,2017)
Sysmon Installation Notes
Deploying Sysmon easily with BigFix (Sept 11,2017)
Deploying Sysmon with BigFix
Sysmon Content Pack detecting Badrabbit (Oct 27,2017)
Sysmon Detecting BadRabbit
Sysmon and Watson chasing Badrabbit (Nov 16,2017)
https://youtu.be/ah8rmpfS6-k------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------
Original Message:
Sent: Fri May 03, 2019 04:07 AM
From: Arturs Garmasovs
Subject: Sysmon process baselining best practice?
Hello,
What is best practice for Sysmon process baselining rules? When I should enable them and for how long?
Looking to minimise false positives
Process Baselining: Process Hash
HashProcess Baselining: Process Name
Process Baselining: Process Name to Hash
Process Baselining: Process Name to Parent Process