Skip to content
EVTX parser

Posts tagged "{tag}": #sysmon

← Back to blog
EVTX triage: what to read first when you have an hour and a host
A practitioner's order of operations for triaging Windows Event Logs during incident response — which channels matter, which event IDs lie to you, and where Sysmon does the heavy lifting.
evtxincident-responsewindows-event-logssysmon
Sysmon configuration that catches real adversaries
An opinionated take on Sysmon: which event IDs actually matter in IR, why olafhartong/sysmon-modular is the right baseline, and the configuration mistakes that blind you to real attacks.
sysmonevtxdetection-engineeringdfir