This morning I installed and configured Snare on my AWS EC2 Windows 2012 Server to ship logs to my SplunkStorm project.
Below is a basic query for charting the top processes that have started on the system:
EventID 4688 — A new process has been created. (Details)
Here is a modified version of the query for processes that have terminated:
EventID 4689 — A process has exited. (Details)
More to come.…