Beginner Pro

Detecting Suspicious activities using Sysmon For Linux

Detect and investigate suspicious system changes (such as potential rootkits or malware) on a target Ubuntu machine using ELK SIEM with Fleet (Elastic Agent), Sysmon for Linux, and the Sysmon for Linux Connector, visualize these changes in real-time, and create alerts for abnormal system behaviors.

Self-Paced by Rajneesh Gupta

Overview

This project focuses on detecting and investigating suspicious system changes on an Ubuntu machine—such as potential rootkit activity, unauthorized modifications, and malware-like behavior—using the Elastic Stack (ELK) with Fleet-managed Elastic Agents.

  • Deploy and configure Elastic Agent with Fleet to collect endpoint telemetry from an Ubuntu machine into the ELK SIEM platform.

  • Integrate Sysmon for Linux to capture detailed system events including process execution, file changes, network activity, and privilege-related operations.

  • Use the Sysmon for Linux Connector to normalize, enrich, and ingest Sysmon logs into Elasticsearch for structured analysis.

  • Visualize high-risk system events in real time using Kibana dashboards to track activity patterns and correlate multiple indicators of compromise (IOCs).

What You'll Learn

  • Deploying Elastic Agent with Fleet for Endpoint Monitoring

    Learn how to enroll an Ubuntu system into the Elastic Stack using Fleet-managed Elastic Agents to collect rich endpoint telemetry.

  • Integrating Sysmon for Linux for Deep System Visibility

    Understand how to deploy Sysmon for Linux to capture granular system events, including process creation, file modifications, network connections, and privilege-related activity.

  • Building Real-Time Visualizations in Kibana

    Gain hands-on experience creating dashboards that surface indicators of compromise (IOCs), behavioral patterns, and correlated system events.

Prerequisites

  • Ubuntu machine with Elastic Agent installation privileges
  • Elastic Stack (Elasticsearch, Kibana, Fleet) already deployed or accessible
  • Basic understanding of Linux system events (processes, file operations, permissions)
  • Sysmon for Linux installed or ready to install
  • Familiarity with Kibana dashboards and search tools

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.