Threat detection with Sysmon for Linux
Endpoint intrusion detection is hard (well, it’s also difficult on the network, but we’re talking hosts in this post). To get really actionable results, we need to minimize the noise, but also be careful not to be fat-fingered on those ignore lists because they might cost us some juicy findings. This is not a trivial task: in most environments we have heterogeneous systems running diverse workloads, which means there’s no one-size-fits-all ruleset that you can just load up and call it a day.