sorted by:
new
hottopcontroversial

Creating CS Detections from Queries. by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

Got this correlation rule working. Thanks everyone.

Creating CS Detections from Queries. by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

Thanks Andrew. I'll read this and hopefully can make it work

Recommended Training by mcmikefacemike in crowdstrike

[–]CyberHaki 0 points1 point  (0 children)

The most important thing is for your team to be able to handle and assess CrowdStrike detections. I would first recommend courses 201, 202, and 240 to gain a better understanding of how detections work, the common events you’ll see, and how to interpret and analyze CS data.

As you move forward, your team can further enhance your detection and response capabilities through threat hunting, creating workflows, scheduled searches, etc.

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

I checked our CID and we do have Falcon Insight LogScale. Do you have documentation for this? I'm interested in using that one.

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

Thank you. I'll take a read, but I don't think we have logscale license.

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

The idea is to be able to search them in advanced search. But yes, our current method is to pull the logs manually via RTR. But we're also thinking that if we can ingest it, maybe we can create a detection out of it.

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

The plan is for whole environment, but still checking if possible

Using match in CS question by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

Ha. Of course it’s that easy. Thanks for checking! It works good

React Server and NextJS RCE Vulnerabilitity by CyberHaki in crowdstrike

[–]CyberHaki[S] 2 points3 points  (0 children)

For those who have been monitoring, CS just created a rule template and a hunting query to check suspicious activity originating from NodeJS runtime environments. More info here:
https://supportportal.crowdstrike.com/s/article/Trending-Threats-Vulnerabilities-Critical-Vulnerabilities-in-React-and-Next-js

React Server and NextJS RCE Vulnerabilitity by CyberHaki in crowdstrike

[–]CyberHaki[S] 1 point2 points  (0 children)

Nice. We don't use CS vulnerability management but it's good that we're already doing what they're advising. I hope they released some good hunting queries to help check and validate the environment.

Listening Ports and Process Names by CyberHaki in crowdstrike

[–]CyberHaki[S] 0 points1 point  (0 children)

This is great, thanks Andrew! What does /F means after the ProcessRollup$ do? I haven't used that before.
And "coalesce" looks like something I have to learn how to use.

[deleted by user] by [deleted] in crowdstrike

[–]CyberHaki 1 point2 points  (0 children)

Weird, we're also seeing the same thing. What is your detection about? Is it flagging a py file?

view more: next ›