WinLogsZero2Hero talk links and scripts

This repo is code used from our talks at Derbycon 7, BSides Detroit 2017, and Bloomcon 0x2.

The 3 live presentations are here:

This script has configurations/examples for:

Deployming Sysmon where it will check version and upgrade if new or install if non-existent or restart/start if stopped/disabled/not-running.
Cuckoo Sandbox Windows Event collections
Logstash enrichment examples for PowerShell
ETW (Event Tracing for Windows) implementation for WMI and consumption via WEF
DNS Debug Log consumption via WEF
Example of collecting ARP table continously via WEF

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
0001-logstash-input-syslog.conf		0001-logstash-input-syslog.conf
0099-logstash-copy-original-message.conf		0099-logstash-copy-original-message.conf
0420-logstash-windows-wef.conf		0420-logstash-windows-wef.conf
0511-logstash-powershell.conf		0511-logstash-powershell.conf
9998-logstash-parse-failures.conf		9998-logstash-parse-failures.conf
9999-logstash-output.conf		9999-logstash-output.conf
ARP Table to Event		ARP Table to Event
ETW Tracing Consumption Example		ETW Tracing Consumption Example
README.md		README.md
WMI Events To Windows Events		WMI Events To Windows Events
add-cuckoo-id-to-winlogs.txt		add-cuckoo-id-to-winlogs.txt
dns-debug-log-gpo-steps.txt		dns-debug-log-gpo-steps.txt
enable-wmi-tracing-via-gpo.txt		enable-wmi-tracing-via-gpo.txt
install-and-or-upgrade-sysmon-and-config.ps1		install-and-or-upgrade-sysmon-and-config.ps1
nxlog.conf		nxlog.conf

Provide feedback