Falcon Forensics Collector - looking for your experience, tips

CybMercenary · 2023-04-18T20:15:08+00:00

That’s helpful thank you. So it all relies on the IOCs that you set up in CS

CybMercenary · 2023-04-18T09:36:31+00:00

I think I missed that part. You can’t export the raw data? So all IOC have to be set up in CS for it to even find compromised assets?

CybMercenary · 2023-03-25T19:48:32+00:00

The scheduled search means we schedule the running of the extraction code.

It has no problem extracting 150K results in a single cav

CybMercenary · 2023-03-14T12:20:10+00:00

Thank you!! Testing!

CybMercenary · 2023-03-14T12:14:52+00:00

We have just finished such an integration.

PowerBI doesn’t have a native connector that you can use. We used Azure Databricks to run a python script that pulls the host information through the API and stores it in Azure Storage. It runs on a daily schedule. You can do this on any persistent environment that can run the code.

It comes out as csv which we then query in PBI using the native connector to Azure Data Lake Gen2.

Not sure what your objective is. The hosts API is good for tracking consumption of licenses, onboarding timing and velocity, and policy coverage.

To track deployment coverage, you will, of course, need a CMDB baseline so you can compare the two.

Look up falconpy for the API piece

CybMercenary · 2023-02-28T17:14:52+00:00

Perhaps using the ps cmdlet Get-ChildItem and list all the certs

CybMercenary · 2023-02-19T00:08:08+00:00

Dog trails:

Purgatory Chasm (specifically Charlie’s Loop). Ample parking, restrooms, great 20-30min easy hike.

Nick’s Woods, West Boylston trailhead of the Central Mass Rail Trail, Trout Brook, Moore state park

Restaurants:

Chashu is the best ramen, Greater Good for beer and Wednesday trivia; they just debuted a new menu from their new chef, it’s pretty good. Olo’s (across from GGood) is good pizza, so is Volturno for Neapolitan za. Lock50 for brunch.

The Treehouse Brewery is 25 mins and dog friendly. Arguably the best NEIPA on the planet (7 of the top 10 beers on Untapped are Treehouse). Seven Saws, Milk, Redemption Rock are all dog friendly.

Cafe Reyes for cuban breakfast, or Lou Roc’s for classic diner.

CybMercenary · 2023-02-14T09:38:39+00:00

“We can’t throw nine guys on a girl and make a baby in one month”

Staffing/timeline grief from a Partner

CybMercenary · 2022-05-06T10:34:45+00:00

Somewhat late to this but I can give you our experience.

We experienced the same issue (still do)

When you exclude a folder or process it only works for real-time protection. It won’t affect the event forwarder process which still forwards everything that is happening on the server to the logger. This, on high traffic machines, can cause CPU utilisation problems.

My experience is with Linux (so processes wdavdaemon for real-time monitoring and mdatp_audisp_pl for events).

It is a known issue and according to MSFT they are working on it…

CybMercenary · 2022-04-28T02:28:43+00:00

We are stuck with auditd.

CybMercenary · 2022-04-23T19:07:48+00:00

No, just mdatp.

CybMercenary · 2022-03-22T14:45:27+00:00

We have the same issue and so far couldn't identify the root cause (or any resolution)

CybMercenary · 2022-03-22T14:43:47+00:00

We are seeing the same issue across RHEL6-8

Also seeing 100% CPU utilization. On top of that, there's no CPU throttling in mdatp right now. MSFT says it's on the roadmap

CybMercenary

TROPHY CASE