Florian Roth published the new version of Anti-Virus Log Analysis Cheat Sheet (version 1.5). I highly recommend to implement monitoring of the events included in this cheat sheet. To my mind, this is the easiest and quickest win and AV logs are one of the first things I hunt whenever I go to a new environment.
The new version has information on :
- Interesting virus types / AV signature names. Moreover, highly relevant av events per vendor are now included (McAfee, Symantec, Sophos and Kaspersky).
- Interesting file path location of the AV detections
- Interesting file extensions (e.g. there is an update on TXT, .XML, and .CHM as highly relevant as sometimes .TXT is actually an .EXE)
- Type of system (eg. laptop, domain controller, etc..)
- User context (admin or service account vs non-privileged user)
- Time of AV detection (regular working hours vs out of work hours)
- Cheat sheet link: https://lnkd.in/ezBDCks
There are also 4 Sigma rules based on the AV Log Analysis Cheat Sheet: https://lnkd.in/eb2d-tR
Many thanks again to Florian and happy hunting!