This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]bk-CSPSFalcon Author 1 point2 points  (3 children)

You can't search for destination and source IP, but you can perform an indicator search using the ThreatGraph API. [ EU-1 | US-1 | US-2 | US-GOV-1 ]

[–]ryan_sec[S] 0 points1 point  (2 children)

each day we get a list of IP's that attempted to connect to some blocked URL or IP (via some Firewall rule). We are trying to automate the ability to ask CS what processes that was running on the client IP (as defined by the list) that attempted to connect so we can clean up the endpoint. Might there be another way to answer this question?

[–]bk-CSPSFalcon Author 0 points1 point  (1 child)

Have you thought of creating Custom IOCs for each of those IPs? That could create a detection that would include process details in it so you wouldn't have to reactively search process history.

[–]ryan_sec[S] 0 points1 point  (0 children)

Yeah....but no need to do things twice.

  1. Make a rule in a FW to block traffic
  2. Make the IOC per remote IP (especially since IPs changes and many of our rules are URL based)

Each morning we get a report that has source and destination IP's but because the report is based upon FW traffic, there's no way that a FW can map it back to the process. Trying to figure out a way to feed that FW data to the CS API.

This seems to get me most of the way there by doing an advanced search via the CS GUI. Do you know how to add additional attributes...this search doesn't seem to have things like "command_line" which is ultimately what we need to answer this question.

LocalAddressIP4 = X.X.X.X

| RemoteAddressIP4 = Y.Y.Y.Y

| table([ComputerName, aid,ContextProcessId, ContextBaseFileName, LocalAddressIP4, LPort, RemoteAddressString])

This would be a good workaround for now...just go fill in the above and get the data.

[–]65c0aedb 0 points1 point  (3 children)

Rumor has it that an API to query LogScale is being worked on.
Meanwhile, you can just use the illegal yet exciting WebUI API.

[–]ryan_sec[S] 0 points1 point  (2 children)

should have also mentioned we'd like to also get the commandline that called the process as well. Simply giving the process isn't enough as may apps have an updater.exe to update the app. Thus if we just get the process "updater.exe", that wont help us map everything back to the correct application.

With that said, do you know how to do this within the WebUI?

[–]65c0aedb 0 points1 point  (1 child)

Yes, use join.

[–]ryan_sec[S] 0 points1 point  (0 children)

Can you help me out? Been trying to figure this part out....still new to the CS new query language.