espy

Network Monitoring Without a Network Sensor!

About espy

AC-Hunter makes it easy to detect threats on your network, but what happens when your workforce is scattered geographically? With the uprise in the number of work-from-home employees, the challenge of protecting all devices in your organization becomes even more difficult. Where would you be able to put a centrally-located network sensor? Wouldn’t it be costly to place a sensor in every remote employee’s home network? Whoah, hold on… what are the privacy issues involved with monitoring home networks?

No worries, we already have answers to those questions. Espy collects network traffic from Windows systems regardless of geographical location. The network traffic is then stored on a server of your choosing as Zeek logs. The traffic can also be forwarded to an Elasticsearch instance.

 

Major Features

  • Collects network traffic from Windows hosts which have the espy agent installed
  • Transforms collected traffic into Zeek logs as if all traffic was one virtual network sensor
  • Logs are stored on one centralized server
  • Optionally can also send traffic to an Elasticsearch instance

 

Related Blogs and Webcasts

Blogs 

Espy – Network Monitoring Without a Network Sensor!

Webcasts 

A Look at espy

 

Use with RITA

Any Zeek logs created by espy can be analyzed with RITA. Imported datasets with these logs have the NetBIOS name of the source and destination of the connection, so that each host is distinguishable across different networks. Analysis of espy’s Zeek logs will produce results for beacons, strobes, and long connections.

Use with AC-Hunter

When espy is installed along AC-Hunter, all of the network traffic made by your remote hosts is analyzed and made available in AC-Hunter for beacons, strobes, and long connections. All logs created by espy are imported along with the standard Zeek logs. The NetBIOS names for hosts running the espy agent will appear along with the host’s ip, making it possible to distinguish which remote host an ip belongs to.

The NetBIOS name is available for a top-scoring host running the espy agent.

We can see the NetBIOS name for the source host of a beaconing connection.

We can see the source and destination NetBIOS names for long connections.

 

Download Details

As part of our ongoing commitment to free and open-source software, we’ve made both espy and the espy Windows agent open source.

GET ESPY ON GITHUB
You may also be interested in:
AC-Hunter Datasheet
AC-Hunter Personal Demo
Subscribe to Our Blog
Archives

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required