Monitoring Corporate Software Policies using Wazuh EDR and Sysmon.


M1038 Using Microsoft AppLocker

M1038 Using commercial Endpoint Protection Software.

M1038 Using Sysmon.

Sysmon Event ID 1 — Process Creation
Process / App Info: Vendor, Product, Version, etc.
Agent Inventory — Installed Software by software vendor.
Alerts on processes not included in trusted list



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).