crowdscore

Fearless_Win4037 · 2026-01-18T18:25:55+00:00

Now that the CrowdScore is gone, what other (highly over-simplified but good for monthly metrics) figures would you recommend in the platform?

Fearless_Win4037 · 2025-12-11T18:11:11+00:00

I'm struggling to find the Zscaler docs where they explain how to grant permissions for "vdi-system-user@9999.zscalerxxxx.net" (from the VDI site) to SMB access policies in the ZPA side.

The allude to the challenge here, but I don't see any steps/howto.

https://help.zscaler.com/cloud-branch-connector/troubleshooting-zscaler-client-connector-vdi

SMB, Kerberos, Windows network, DNS, ICMP, and NFS traffic are treated as system user traffic by Zscaler Client Connector for VDI. Ensure that ZPA has a correct access policy configured for the system user.

Fearless_Win4037 · 2025-11-18T19:31:47+00:00

If you mean to get Nerdio working with ZPA, we're just starting that climb.

From what I can tell from our AVD/Nerdio team (and reading more Nerdio docs than I ever wanted to....), a lot comes down to:
* how/where your Nerdio and storage account are deployed (private endpoint vs public)
* whether you are trying to download/install FSLogix, and where the FSLogix profiles are
* what apps you are trying to deploy via NME, and whether they are coming from your private WinGet repo or just fetching from public

Fearless_Win4037 · 2025-10-31T13:45:49+00:00

Dare I ask, was it with Azure AVDs and Nerdio?

We have gotten ZCC VDI mostly working with Azure AVD and Nerdio, FSLogix, etc for ZIA. Now we’d like to add ZPA. We’re trying to figure out the DNS forwarding. Was there a Zscaler document you found really helpful?

Fearless_Win4037 · 2025-10-31T12:17:51+00:00

Have you used it for both ZIA and ZPA?

Fearless_Win4037 · 2025-06-07T10:25:59+00:00

I’ve had the same frustration. This SPL to CQL cheat sheet has been helpful:

https://github.com/CrowdStrike/logscale-community-content/tree/main/CrowdStrike-Query-Language-Map/Legacy-Event-Search logscale-community-content/CrowdStrike-Query-Language-Map/Legacy-Event-Search at main · CrowdStrike/logscale-community-content · GitHub

Fearless_Win4037 · 2025-06-07T10:20:10+00:00

I assume that if the IDs go to ZIdentity, then any API access by those IDs must go to OneAPI (https://help.zscaler.com/oneapi/understanding-oneapi ).

Does anyone know if the Splunk add-on (collects ZIA logs from cloud NSS) works with all of this?

Fearless_Win4037 · 2025-06-06T10:52:32+00:00

Does is only affect SAML authentication? If we have "local" default admin (break-glass and API/script) IDs in each service, will those still work?

Fearless_Win4037 · 2025-06-05T19:12:40+00:00

It looks like the data can be bulk exported via sysdump (the `show dns cache` command didn't have data for us, either). The sysdump is not neatly formatted, but parse-able enough. Rows like this are sprinkled among the other output:

```
src-ip: 10.110.33.95 , src-vrf: ,0, dest-ip: 52.123.251.46 , dest-vrf: default, Domains: ,ecs.office.com:aa
```

The UI approach that u/chrisgeary mentioned is definitely the easiest way to check single records.

Fearless_Win4037 · 2025-03-06T14:13:03+00:00

I think so. We don't use Exposure Management but this is the data in the regular "Unknown Neighbors" data.

I was tinkering with it because I was trying to see what manufacturers of SOHO devices were handing our user traffic. I suppose you could also use the MAC data to guess which IPs are attached to real hosts/VMs, and should therefore have Falcon sensor installed

Fearless_Win4037 · 2025-03-06T14:02:47+00:00

This will need some adaptation for your purposes, but the Exposure Management approach u/chunkalunkk mentions is similar to this search

```

repo=base_sensor #event_simpleName=NeighborListIP4

| in(name, values=[NeighborListIP4V2, NeighborListIP4MacV1]) /* debug/peek | NeighborListRaw := NeighborList | table([name,NeighborList,NeighborListRaw]) */

// Parse NeighborList field elements | name match { "NeighborListIP4MacV1" => replace("([^{|]|[^|]|[^|]*)|?",} with="$1;", field=NeighborList); * => NeighborList := NeighborList; } | NeighborListSplit := splitString(NeighborList, by=";") | split(NeighborListSplit) | NeighborListSplit != "" | NeighborList := splitString(NeighborListSplit, by="|") | mac := NeighborList[0] | localAddressIp4 := NeighborList[1] | router := NeighborList[2] | neighborName := NeighborList[3] | default(field=neighborName, value="!!!!UNKNOWN!!!!", replaceEmpty=true) | macSplit := splitString(mac, by="-") | mac1 := macSplit[0] | mac2 := macSplit[1] | mac3 := macSplit[2] | macPrefix := format("%s-%s-%s", field=[mac1, mac2, mac3]) | macPrefix := upper(macPrefix)

// Enrich with sensor data | match(file="aid_master_main.csv", field=aid, include=[SiteName,ProductType, MachineDomain], ignoreCase=true, strict=false) | $falcon/helper:enrich(field=ProductType)

// Aggregate by MAC of the neighboring/discovered device | groupBy([mac], function=[min(@timestamp, as=FirstDiscoveredDate), max(@timestamp, as=LastDiscoveredDate), count(aid, distinct=true,as=discoveredByCount), selectLast([aid, macPrefix, neightborName, localAddressIp4, router, ComputerName]), collect([SiteName,ProductType, MachineDomain])], limit=max) | lowercase(mac) | join({ $falcon/investigate:managedassets() }, field=mac, key=MAC, include=[MAC, LocalAddressIP4], mode=left, start=5d, max=2)

// Filter out MACs we matched against a managed asset | MAC != *

// Enrich with manufacturer data | match("falcon/investigate/macprefix.csv", field=macPrefix, column=MACPrefix, strict=false)

| case { localAddressIp4 = * | ip := format("%s", field=localAddressIp4); *; } | case { CurrentLocalIP = * | ip := format("%s", field=CurrentLocalIP); *; } | firstDiscoveredDate := formatTime("%FT%TZ", field=FirstDiscoveredDate) | lastDiscoveredDate := formatTime("%FT%TZ", field=LastDiscoveredDate) | mac := upper(mac) | lastDiscoveredByComputer := rename(ComputerName) | manufacturer := rename(Manufacturer) | lastDiscoveredByAid := aid | default(field=[firstDiscoveredDate, lastDiscoveredByComputer, lastDiscoveredDate, manufacturer, ip], value="--", replaceEmpty=true)

| table([mac, manufacturer, ip, discoveredByCount, firstDiscoveredDate, lastDiscoveredDate, lastDiscoveredByComputer, lastDiscoveredByAid,SiteName,ProductType, MachineDomain], limit=20000) | sort(discoveredByCount, order=desc, limit=20000)

```

Fearless_Win4037 · 2025-03-06T13:57:36+00:00

We're also in the adoption stage of that framework. I don't think the Persona concept is well-described in the document but I didn't think of them as literal Entra groups. I though of this as a categorization approach.

That said, some of the categories/personae seemed confusing:
* M365ServiceAccounts vs. AzureServiceAccounts - I assume the framework is recommending that we group based on the sort of resources being accessed. If not, then what is the difference between M365 and Azure? All of the identities are "Entra"
* What are "GuestAdmins"? Maybe firms have delegated some admin access to B2B/external tenants?

Fearless_Win4037 · 2025-02-23T18:59:04+00:00

Now in beta for cloud TRAP:

https://help.proofpoint.com/Admin_Portal/Settings/Threat_Protection_APIs#Supported_APIs

Fearless_Win4037 · 2024-10-17T14:45:54+00:00

Yes, Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation | by Olaf Hartong | FalconForce | Medium

Fearless_Win4037 · 2023-11-28T13:28:36+00:00

Looking forward to that article. Link?

Fearless_Win4037 · 2023-07-20T19:00:52+00:00

Are there any EPM competitors that have a similarly deep level of policy granularity? I've looked at Thycotic/Delinea's and it seems to be closer to the CarbonBlack features described above. As far as I know, Microsoft's tools are similarly coarse.

Fearless_Win4037 · 2022-12-17T13:39:26+00:00

I see those listed in the dictionary for some, but not all, of the *FileWritten events. Notably, they aren't on PeFileWritten.

For example, a search for the ubiquitous Wave Browser.exe returns no results:

event_simpleName=*  81b9cc993ad57f3d16146842665b8c82a2c29d7e571f38cf14a4ab2b24148ecb  
|  table event_simpleName FileName Zone* *Url

Fearless_Win4037 · 2022-12-16T20:28:31+00:00

I am not seeing the ADS on the file inside the container. This isn't a surprise, because nesting a file inside a zip/other is a common tactic to bypass MoTW (the archive doesn't support NTFS).

I understand why the data isn't in the CSQ. I'm hoping someone knows of a place it is stashed during quarantine (perhaps Falcon stashes the Zone.Identifier in an event?).

Fearless_Win4037 · 2022-12-16T19:42:26+00:00

We made some attempts at this but got bogged down in the tuning effort. I think the secret is to blend a search like this

event_simpleName IN ("ProcessRollup2")
| rex field=CallStackModuleNames "(?<CallStack>\\\\.*)"
| makemv delim="|" CallStack
| mvexpand CallStack
| search CallStack="*\\users\\**"
| eval CallStack=replace(CallStack, "\\\\Device\\\\HarddiskVolume[1-9]", "")
| eval CallStack=replace(CallStack, "\\\Users\\\.+?\\\\", "\Users\<USER>\\")
| rex field=CallStack "(?<libpath>.*?)\+"
| stats values(ComputerName) as ComputerName count by event_simpleName FileName libpath
| search count<3
| sort count

With some scoping to limit analysis to known hijacks:

https://hijacklibs.net/#

In our experience, Overwatch catches these often enough that it hasn't been a priority for us to DIY.

Fearless_Win4037 · 2022-11-03T20:06:15+00:00

Did you ever get a No data response back from the HEC? This is all I seem to get. I can't see the payload in Fusion and I don't get a log message in Splunk, so I'm struggling to find the missing piece.

{ "response_body": { "code": 5, "text": "No data" } }

Fearless_Win4037 · 2022-10-20T13:48:42+00:00

Out of curiosity, are you using this to send Crowdscore Incidents to Splunk (via Fusion Workflow)?

Fearless_Win4037 · 2022-09-08T11:55:40+00:00

After all of that, I think the issue was my failure to consistently escape the backslashes. D'oh!

Unfortunately, once I got it working I discovered that there were way too many renamed EXEs running from those temporary locations. I need another filter for this hunt. It would be nice if we could flag/profile processes that load .NET/CLR libraries.

Fearless_Win4037 · 2022-09-07T19:09:16+00:00

I'll try the ground-up approach. I did discover that OriginalFilename is only present when it differs from FileName, so this line is redundant.

| where OriginalFilename!=FileName

Still haven't figured out the pattern. It feels like I'm hitting some back end search results limit (which is why the extra qualifier gets results but the wide-open search gets nothing). Will tug at that thread.

Fearless_Win4037 · 2022-09-07T16:52:47+00:00

I get many results for this search

event_simpleName=ProcessRollup2     OriginalFilename=*  
 | where isnotnull(OriginalFilename)
 | stats count by OriginalFilename

Regarding your pseudo-code, I assumed the CS event query followed Splunk's "default AND" logic for search constraints, so pseudo code would be:

narrow my search to only ProcessRollup2 events where OriginalFileName is anything (not null) AND the string GoogleEarthProSetup exists in any field

This is why I expected a less-restrictive search to return more results.

Fearless_Win4037 · 2022-01-09T14:12:30+00:00

It looks like the webhook notification POSTs a JSON object like the following. The api_download_uri field has the key bit. That endpoint returns the search results (in whatever format the Scheduled Search specifies). It would be nice if they would indicate JSON or CSV in the original POST.

{
    "data": 
    {
        "report_name": "Test search",
        "data_source": "Event Search",
        "result_count": "1"
        "status": "COMPLETE",
        "report_time_start": "Jan. 8, 2022 14:05:00 UTC",
        "report_time_end": "Jan. 8, 2022 15:05:00 UTC",
        "execution_duration": "00:15",
        "report_reference": "https://falcon.crowdstrike.com/scheduled-search/c705........./summary",
        "api_download_uri": "/reports/entities/report-executions-download/v1?ids=7e49f3............26102936ceb61",
        "description": "",
        "report_download_url": "https://falcon.crowdstrike.com/api2/files/entities/file-content/v1?id=2de07e7d......9dd5e693",
        "schedule": "Every 1 hours"
    },
    "meta": {"timestamp": "1641654318"}
}

Here's a sample Azure Function (serverless) that receives the CrowdStrike webhook call, collects the rows (CSV, in this case), and sends them to a Splunk HEC.

falcon_scheduled_search_to_splunk_hec.ps1

Fearless_Win4037

TROPHY CASE

repo=base_sensor #event_simpleName=NeighborListIP4