Seeing the full picture
As explained in Chapter 1, Ransomware Attacks and the Threat Landscape, during a ransomware attack or an initial assessment, a ransomware operator might use many different tools and scripts on a compromised endpoint or service to try and gain further access.
While looking through security events for abnormal login traffic, you will not get enough data to get a full overview of what is going on.
For instance, the SecurityEvent table contains information related to login attempts with the account name and IP address. However, it does not contain any information related to the process that made the call or what kind of port the attempt came from; second, it does not contain any information related to what happened after someone gained access, for instance, whether they run any commands, scripts, or executables on the machine.
To get a full overview, we need multiple different data sources to be able to detect attacks earlier, make it easier to do threat...
