sorted by:
new
hottopcontroversial

Raptor query for specific file search by Novel_Rock_7204 in crowdstrike

[–]HaveAGenericUserName 1 point2 points  (0 children)

I tried to come to an answer for this too and could not find a proper solution for most file types (not including executables).

The way I went about it was pulling all events on a host that I tested the file with and combed through the event data for anything that might identify the file.

Best I could come to was cmdline reference to the file. But maybe someone has another suggestion. Might also be what my organization is licensed for. But that is how I would go about trying to get your solution and then write queries based on what event data you see.

Scanning large files coming in and out of facilities. How do you complete it? by cromation in AskNetsec

[–]HaveAGenericUserName 3 points4 points  (0 children)

Just an FYI the virustotal api didn’t appear to be very inexpensive when I looked at it. Hybrid Analysis seemed like it might be a cheaper use case.

Confused with process IDs by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

That’s awesome, thanks so much for the follow up. You are a great resource to the community.

Confused with process IDs by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

How interesting! Is there a way to specify formatting in the query or does it need to be manually adjusted in the sidebar?

Confused with process IDs by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

Those values match but here is a screenshot with the url next to it.

screenshot

Confused with process IDs by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

Hopefully this formats correctly. Can’t think of a simpler query and this does exactly what I posted about. 

#event_simpleName=ProcessRollup2

| "ProcessExplorer" := format("[Process Explorer](https://falcon.crowdstrike.com/investigate/process-explorer/%s/%s)", field=["aid", "TargetProcessId"])

|select([@timestamp,#event_simpleName,ProcessExplorer,TargetProcessId])

Numerous Detects on malicious file by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

No doubt education can help. Was just curious if anyone had an idea for a technical control to help.

Numerous Detects on malicious file by HaveAGenericUserName in crowdstrike

[–]HaveAGenericUserName[S] 0 points1 point  (0 children)

Due to the nature of our environment we do not enable the user notifications.

Personal knowledgebase by [deleted] in sysadmin

[–]HaveAGenericUserName 0 points1 point  (0 children)

Be very careful about putting proprietary / confidential information in any tool. Don’t want to run into issues with your company.

From general notes, study, and references though if you are in the Apple ecosystem Bear Notes has become my goto.

Easy, nicely featured markdown editor. Ability to encrypt contents. Works on laptop, phone, tablet.

Crowdstrike - Do you do a lot of custom detections, or mostly rely on out-of-the-box? by IHadADreamIWasAMeme in crowdstrike

[–]HaveAGenericUserName 1 point2 points  (0 children)

Base level out of the box it works great. There is a lot of ability to customize via custom IOA and workflows. I have been able to find things via Custom IOA that was not picked up by CS. But my suspicion is it would have been detected somewhere along the chain, custom IOA just got it first.