Hello,
I wanted to create a detection rule on the LLMNR protocol knowing that I don't have Sysmon just with the logs.
Can you help me please?
thank you and have a great day
Please help us help you by telling us more about the use case.
What exactly are you trying to detect? I presume the information needed usually is supplied by sysmon - have you verified the same information is available in your logs?
I try to detect the LLMNR protocol if it is activated by a malicious user
We still need more information about the use case. How do you determine the user is malicious? Have you verified your logs contain the necessary information?
Thank you,
we don't have a sysmon