Season 2 Episode 1: Resources

14 Jul 2021

Great to see so many of you on the sessions today - thanks for tuning in and getting stuck into the interactive side. It's really good knowing we have so many keen threat hunters out there!

Here's a collection of resources from Ashek - please do let us know if there's anything else you want to know.

OS hardening & GPO's: https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/eud-security-guidance-windows-10-1809
Extra logging: https://community.sophos.com/kb/en-us/133907

Add "Other Object Access Events" & "Logon" as to your changes as well
A good starting Sysmon config: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Common MITRE ATT&CK TTP's and Result enrichment queries used:

https://community.sophos.com/intercept-x-endpoint/i/xdr/hunting-in-the-data-lake-then-pivoting-to-the-device-for-details

https://community.sophos.com/intercept-x-endpoint/i/att-ck/live-discover-mitre-att-ck-classification-and-hunting

Look forward to seeing you all tomorrow for session 2!

Kris Wayman over 2 years ago in reply to Roberto Casanova

Hey Roberto,

Thanks for coming back for Season 2! There are plans afoot to gather telemetry from non-Sophos sources, as well as some interesting new ways to pull out indicators from encrypted traffic without cracking it open. Specifically gathering info from the Nexus Switches is not a direct integration I know of at this point, but the goal is to gather the richer network telemetry, and that is absolutely something to get excited in the coming months.

Have a look at this release about our acquisition of Braintrace for more info on timing and strategy- https://www.sophos.com/en-us/press-office/press-releases/2021/07/sophos-acquires-braintrace-to-boost-adaptive-cybersecurity.aspx
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Roberto Casanova over 2 years ago

Hi Nick and Chris. I was able to do Season 1 live, but have had to do Season 2 on demand, and just now able to get to it. What I'd like to know is if XDR will ever be able to get data from non-Sophos network devices, such as Cisco Nexus switches, maybe via Syslog?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Nick Fisher over 2 years ago in reply to R R

Thanks for letting us know about this - we've updated the video on the OnDemand page
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
R R over 2 years ago in reply to Nick Fisher

Hi Nick,

On playing back the session2 video1 you can hear you and Ben talking over Ashek.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Nick Fisher over 2 years ago in reply to Salim Alaeddine

Hi Salim,

We'll have all of the session recordings available later this week - I'll post a link in this forum when they're available for you to access and review.

Nick
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel