• EndPoint Security Events.

    NIST CSF DE.CM-2: The physical environment is monitored to detect potential cybersecurity events.
  • Event Severity and Alerting
    NIST CSF DE.AE-5: Incident alert thresholds are established.

SOCFortress Data Cycle:From log data to alerts and threat intel

Detection CapabilitiesDetection Rules and Events Processors.

EDR: Dashboards, alerts and events summary .

Each dashboard is composed of summaries and aggregated data for a quick overview of relevant events and detection rules.

EDR: Network Connections.

All relevant network activity from the end-point is collected and processed.

Connections to public IPv4 addresses are checkd against security feeds.

Connection telemetry includes processes opening new sockets and user accounts under which the process is executed.

EDR: DNS Telemetry.

DNS telemetry is oftentimes overlooked in threat hunting.

Most of IP communications will start with a DNS resolution request.

SOCFortress analyzes DNS telemetry and resolved hostnames are checked against security feeds.

EDR: System Processes Telemetry

Process started/terminated event collection.

Process tree analysys and process spawns.

Process execution by software vendor and product name.

All processes images (file hash) run against security feeds.

DLL Side Loading

DLL side loading is one of the most common techniques used in malware attacks.

SOCFortress provides full DLL side loading visibility.

All DLLs loaded are checked against valid file signature and software vendor.

All DLLs file hashes are run through security feeds.

Advanced Malware Detection

Advanced malware sacn using Yara.

Beyond file hash signature, Yara inspects file binaries and finds malicious code.

Yara rules regularly updated.

Windows Event Logs

Windows Event Logs (System, Application Security).

Software Policies

Track processes and applications not part of the approved software policy.

Windows Group Policy Changes

Monitor windows group policy changes.

File Integrity Monitoring

Monitor files created/modified/deleted.

Monitor Windows Registry Keys activity.

File activity per system process and user account.

Process Injection

Process Injection is a common technique used in malware.

Monitor process activity, processes accessing other process memory space and the level of access granted.