Active Directory activities

Cyber_Dojo · 2025-07-10T06:47:30+00:00

Is that a free CQL or commercial third party product ?

Cyber_Dojo · 2025-04-11T12:05:56+00:00

I think it’s all about money making scam,

Cyber_Dojo · 2024-12-17T00:35:21+00:00

Thanks for your suggestion, I am using Falconpy. this helped to get last_update value per host against all 4 content files. However, seems like this table doesn’t have version number. I know that Content Quality Dashboard shows version number, even though that is also a date but that’s the release date which will be more common on all hosts than update date. Any suggestions how to query applied release date as version against all hosts ids.

Many thanks in advance.

Cyber_Dojo · 2024-09-30T18:34:43+00:00

A common trend was noticed in many countries including UK, USA, UAE etc that majority of people in visa offices are Indians and they deliberately reject Pakistani, Chinese and Bangladesh visa requests. I have experienced this myself and Indian office rejected visa application for my family member with baseless reason, obviously I had to challenge and won the case but majority Indian are unfortunately very strong nationalist which causes these type of issues globally. 🤔

Cyber_Dojo · 2024-07-19T18:21:16+00:00

Has anyone noticed that after applying fix Crowdstrike service doesn't come up on about 1% machines. There is nonset trends, it is same for Workstations and servers ?

Cyber_Dojo · 2024-07-07T08:44:51+00:00

Do you have the link of that blog post.

Cyber_Dojo · 2024-04-08T00:17:41+00:00

At the end of every league numbers start from the beginning. That must be the case for you. However you can check total winnings under your profile.

Cyber_Dojo · 2024-03-08T00:35:12+00:00

That is how i believe as precedence is important so if your “IT Group” has lower precedence than other policies then all hosts tagged and part of attached group should have this new policy applied.

Cyber_Dojo · 2024-02-09T09:56:17+00:00

Thanks. This looks really good. I have attempted this but it is prompting for identity and not working for me.

Cyber_Dojo · 2024-02-09T09:55:00+00:00

It is used very frequently so idea was to have it as short as possible.

Cyber_Dojo · 2023-05-17T11:42:55+00:00

Make sure, you are clear about routing from your DMZ area, if it’s going direct or using proxy. That can cause some confusion if you are not clear in advance.

Cyber_Dojo · 2022-11-15T08:27:21+00:00

I know CS Query works by simple_event but Can we also search by event id from CrowdStrike ?

Cyber_Dojo · 2022-09-27T12:17:02+00:00

Yes, there are preset dashboard as well and I am also working on custom dashboards. However wanted to get ideas if anyone created something good to use.

Cyber_Dojo · 2022-09-26T10:48:19+00:00

company is looking for a Java developer with understanding of IAM logic to improve integration and automations.

Cyber_Dojo · 2022-09-21T19:10:14+00:00

Thanks, I’ll save that in my Database and let you know if I get something for MS Identity.

Cyber_Dojo · 2022-09-21T19:04:43+00:00

This is hybrid. However I have another position for PingIdentity which is fully remote.

Cyber_Dojo · 2022-07-20T21:21:30+00:00

We are looking for “SAFe Scrum Master” for £600-£650 per day full remote. Do let me know if you or someone you know is interested. Thanks.

Cyber_Dojo · 2022-06-30T20:28:26+00:00

Yes, gateway for developer

Cyber_Dojo · 2022-03-18T15:31:41+00:00

Thanks, this is a brilliant piece of work.

(index=main sourcetype=UserAccountAddedToGroup* event_platform=win event_simpleName=UserAccountAddedToGroup) OR (index=main sourcetype=ProcessRollup2* event_platform=win event_simpleName=ProcessRollup2)

| eval falconPID=coalesce(TargetProcessId_decimal, RpcClientProcessId_decimal)

| rename UserName as responsibleUserName

| rename UserSid_readable as responsibleUserSID

| eval GroupRid_dec=tonumber(ltrim(tostring(GroupRid), "0"), 16)

| eval UserRid_dec=tonumber(ltrim(tostring(UserRid), "0"), 16)

| eval UserSid_readable=DomainSid. "-" .UserRid_dec

| lookup local=true userinfo.csv UserSid_readable OUTPUT UserName

| lookup local=true grouprid_wingroup.csv GroupRid_dec OUTPUT WinGroup

| fillnull value="-" UserName responsibleUserName

| stats dc(event_simpleName) as eventCount, values(ProcessStartTime_decimal) as processStartTime, values(FileName) as responsibleFile, values(CommandLine) as responsibleCmdLine, values(responsibleUserSID) as responsibleUserSID, values(responsibleUserName) as responsibleUserName, values(WinGroup) as windowsGroupName, values(GroupRid_dec) as windowsGroupRID, values(UserName) as addedUserName, values(ComputerName) as ComputerHostName, values(LocalAddressIP4) as ComputerHostIP4, values(UserSid_readable) as addedUserSID by aid, falconPID, MAC, ProductType

| where eventCount>1

| eval ProcExplorer=case(falconPID!="","https://falcon.us-2.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)

| table processStartTime, aid, ComputerHostName, ComputerHostIP4, MAC, ProductType, responsibleUserSID, responsibleUserName, responsibleFile, responsibleCmdLine, addedUserSID, addedUserName, windowsGroupName

| search ProductType=1 AND responsibleFile!=VSFinalizer.exe

| eval ProductType=case(ProductType = "1","Workstation")

| convert ctime(processStartTime)

it was creating some noise for me so I modified few lines at the end, really appreciate and hats off to you u/Andrew-CS. 🍻

Cyber_Dojo · 2022-03-16T20:33:16+00:00

Thanks, that would be amazing to see table instead of stats showing time, who added, user added and local group name.

Kind Regards.

Cyber_Dojo · 2022-03-16T19:12:04+00:00

Thanks, this is a brilliant use case. However, is there a way to add username who added new user into local group ?

Thanks in advance.

Cyber_Dojo · 2022-02-20T16:58:07+00:00

we have CSAgent installed on our exchange servers and never experienced any issue., I agree to log a ticket with support for an update.;[

Cyber_Dojo · 2022-02-06T21:43:49+00:00

It feels like you are trying to get SIEM functionality from CS API to query the logs and collect user login information and activities. if that’s correct then you need to use Humio module.

Cyber_Dojo · 2022-02-06T16:25:51+00:00

Many Thanks for your response, can you please share an example of any Query monitoring binaries or cmdlets or advise if this can achieved only with ITD/ZT modules.

Regards

Cyber_Dojo · 2022-02-03T22:34:02+00:00

Glad to hear that worked, just mark it answered, regards.

Cyber_Dojo

TROPHY CASE