Honey File Monitoring
| |

Honey File Monitoring

Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ?

Splunk garbled characters after import eventlog evtx using incorrect sourcetype
| | |

Import EventLog into Splunk

As Splunk also use native Windows API to process the exported evtx file, you must use a Windows machine with Splunk installed (either Universal Forwarder or any full Splunk instance including All-in-one Splunk instance or Heavy forwarder instance) to process the evtx file. In other word, the inputs.conf should be deployed or defined on a windows machine in order to successfully import EventLog/Sysmon Event Log into Splunk. You will need to use the sourcetype preprocess-winevt. If you do not explicit define it, Splunk will display garbled characters after import EventLog evtx file. You can find the working version of inputs.conf below