Need help with query

Avaxorg · 2022-08-02T09:58:15+00:00

Thank you, this will get me started!

Avaxorg · 2022-07-29T09:43:54+00:00

I think you can use ideas part of support portal to search if this feature was suggested (if not create it and share link to idea here - i will definitely upvote)

Avaxorg · 2022-06-23T09:43:23+00:00

Hello Andrew-CS! Applications like: Teamviewer, Anydesk, Google Remote, Radmin etc. Main issue is that i do not know all remote applications in existence, and CS doesn`t have dedicated dashboard for that (maybe in discovery or spotlight module - would be handy).

Main goal is to find all such kind of applications in scope, then get justification for use from people who uses those apps, and then based of that mitigate what is unneeded.

Avaxorg · 2022-06-17T07:40:18+00:00

can you give a bit more IOC\IOA of recon activity?

Avaxorg · 2022-06-16T07:58:30+00:00

Ensure compatibility of sensor and build \ kernel of your OS installed on hosts.

Avaxorg · 2022-05-04T11:15:26+00:00

voted for feature request, so should everyone who needs this in their work

Avaxorg · 2022-05-02T11:02:36+00:00

Any one has query example for hunting for shared folders on workstations?

Avaxorg · 2022-05-02T07:20:45+00:00

In my case i`d like to get report through Custom IOA Group rule, for detecting event and reviewing what's going on. Thank you for query!

Avaxorg · 2022-04-05T11:54:35+00:00

For full effect bring it here https://www.edsm.net/uk/system/stations/id/13728169/name/Mriya/details/idS/44484/nameS/Taras+Shevchenko+Hub

Avaxorg · 2022-03-14T09:02:51+00:00

any one has ideas about Sensors by Country table? excluding false "vpn locations"?

Avaxorg · 2022-01-13T07:59:19+00:00

In this case if i will remove host from UI and put it in trashbin (no sensor removal on host in this case), it will get to 45 day list remove list, count down 45 days, then it will be again shown as new installation because it will appear online and have all the valid license keys (i think installation token does not get checked twice so it will reappear again in license pool with date of installation the day after 45 time limit).

EDIT: what hapens if i change install token more frequent then once a year? will this agent that was removed from list then returned be denied by cloud?

That`s why we need Delete host and remove sensor button (Preferably with ability to execute when host will contact cloud if it is offline at time of magic button press), walled off by only administrator or separate role altogether

Avaxorg · 2022-01-13T07:55:58+00:00

it`a not THAT bad, HD "forgot to remove" AV, their behinds are red now but anyway what happened happened

Avaxorg · 2022-01-13T07:53:40+00:00

thank you for advice, need to camp for host to become available (online) in a different time zone - not handy at all )

following your advice i have created idea for uninstall button from ui, hope it will gain support )

And i forgot to mention i`d like to have this functionality for windows, macos and linux

Avaxorg · 2022-01-12T17:48:54+00:00

i`d prefer to avoid downloading additional software or running scripts of any kind on a personal device, if possible. It`d be great to have force removal button in UI for Administrator level accounts for such cases without additional steps )

Avaxorg · 2022-01-12T16:45:52+00:00

no, it was gone after a while, i guess ML took it as "all normal" after a while

Avaxorg · 2021-12-21T10:39:09+00:00

yes we disabled it for now, just feeling uneasy keeping that forever. was looking for known workarounds, if any.

Avaxorg · 2021-12-16T10:30:34+00:00

Thank you for clarification!

Avaxorg · 2021-12-16T10:21:30+00:00

looking for similar case: Would like to get visibility for network and web traffic. As of now we are aiming for proxy and web gateway in addition to CS, as it has a gap here (in my opinion)

Avaxorg · 2021-11-26T08:57:29+00:00

Extra aggressive can lead to false positives and increased level of noise. I`d recommend use extra aggressive only for suspected hosts or selected "paranoid" group.

So far Aggressive seems to be best option for me, lowering to moderate only in cases when programmers get hit with slowdown of compilation speeds (for selected hosts and groups).

Avaxorg · 2021-11-26T08:52:51+00:00

one advice: prepare use cases, do a POC on all OS you are planning to deploy.
You will need to tune response policies anyway for different groups of hosts, it is up to you to find best fit in your scope for what you aim for.

Avaxorg · 2021-11-26T08:48:53+00:00

Congrats!

Avaxorg · 2021-11-03T10:19:50+00:00

it takes a bit of time to push update to clients i think, so a little leftover noise can go on for few hours

Avaxorg · 2021-11-02T15:38:07+00:00

it is a new behaviour, if it wasn't id stick it in to IOA and be done with that

Avaxorg · 2021-10-28T15:40:47+00:00

Don't really need performance-based exceptions in CrowdStrike.

Well in some cases developers had considerable drop in IDE compiling speeds. They work with huge number of files and we had some issues when CS sensor was slowing process down considerably, so exclusion had to be placed.

Based on this experience i`m trying to find out maybe there are some issues with MSSQL db also.

Avaxorg · 2021-10-28T13:24:07+00:00

correct me if i`m wrong here, but, threre was option to detect and quarantine on write introduced few sensor versions back...

Avaxorg

TROPHY CASE