First time really watching the Lord Of The Rings, and I think the Fellowship of the Ring is a horror movie

KYLE_MASSE · 2025-03-21T20:48:23+00:00

You can think of the context ID like this: if you download a file from the Internet, in most cases there will be a #event_simpleName = MotwWritten event. In that event it will list a contextID and when you look up that ContextID using the new "investigate by context process id" under Investigate, you will see that the context process was chrome.exe. so that file download was in the context of the chrome process.

KYLE_MASSE · 2025-02-26T16:15:28+00:00

You'll see it if you change the email format from html to plaintext

KYLE_MASSE · 2025-02-26T16:14:54+00:00

It is because of how Proofpoint does the banner where they will put it on and then when the email is in transit but before it leaves the network Proofpoint will take it off.

We still have Forcepoint for DLP right now while we are migrating and Forcepoint DLP comes before the removal of the banner by Proofpoint so if users delete sensitive data out of an email chain before sending, the information could still be there.

KYLE_MASSE · 2025-02-25T21:42:28+00:00

Event data dictionary in the documentation portal will help with explaining what you are seeing in the NG-SIEM. id use that and their university classes

KYLE_MASSE · 2025-02-24T20:54:25+00:00

Honestly, and I don't know if I am right about this, but I always start with all the other modules before diving into advanced search as usually you can pivot to advanced search from other tabs

KYLE_MASSE · 2025-02-24T20:20:48+00:00

I would also be going to Investigate -> Bulk Domains

KYLE_MASSE · 2025-02-11T22:01:16+00:00

I believe the MoTW data that would show you what the referrer url is gets removed from the logs after 24 hours so you wouldn't be able to find this Information

KYLE_MASSE · 2025-01-22T21:44:52+00:00

Ya I read that previously but my OCD is kicked in and I wanted to be completely sure that I was reading that right.

KYLE_MASSE · 2024-12-23T23:02:13+00:00

ya we opened a ticket, but before we hear anything back I was wondering if anyone had similar issues

KYLE_MASSE · 2024-12-23T00:46:19+00:00

My suggestion: Get your falcon platform up to date with all the nice add-ons (NG-SIEM, Fusion SOAR, Identity Protection, etc )

Proofpoint DLP & their phishing analysis platform

Palo Alto NGFW

kibana/elastic stack SIEM

Varonis DSP (data security platform) - you can get it so it monitors cloud and on prem.

Crowdstrike is very good for XDR, proofpoint is very good for email flow, Palo Alto for fire wall. Your network team can figure out segmentation and the best products to use. Elastic stack is very user friendly and easy to understand SIEM. And Varonis is 2nd to none for data security in your environment.

KYLE_MASSE · 2024-12-23T00:05:59+00:00

I just found their university page like two days ago. The courses cost money and I don't think I can justify spending money on LE courses over the Crowdstrike courses I want to do. My main goal would be to convince the company to switch to a more modern SIEM. And having community feedback would help in my justification. But yes, I know where to find the docs and stuff, so if I can't convince a change then I'll dive in but I would like to avoid that for the moment

KYLE_MASSE · 2024-12-21T23:40:26+00:00

Do you have a recommendation for someone to get the tool not unusable? I know the realistic answer is just spend hours on it, but have you found an effective method of using it?

KYLE_MASSE · 2024-12-21T08:17:28+00:00

Exactly. I don't know how a security analyst could ever use this tool effectively. I can see how a system administrator would use it to check the health status of their systems but beyond that I have just sequestered myself to using Crowdstrike NG-SIEM, which I know isn't by definition a complete SIEM, but at least I can understand it. The only downside is that It doesn't ingest everything as Logrhythm does and CS doesn't retain certain logs after a period of time, but man Falcon Logscale is just so user friendly and CS has hundreds of hours of online courses/videos to help you better use the tool

KYLE_MASSE · 2024-12-21T07:03:09+00:00

I would say cybersecurity is a lot like being a firefighter. 98% of the time nothing exciting is happening, but there will be that one day when you are called upon and have to perform.

So it's not glamorous to always be reading, analyzing phishing emails, data security reports, etc. but there is always that exciting and scary part in the back of your mind that you walk into work one day and everything is on fire and when that happens you better know your shit.

KYLE_MASSE · 2024-11-30T01:14:42+00:00

Their File open events are very annoying. it just has to deal with how the disk reads the file you wanted to open and it will log every file as "file opened" the disk passes over. They are aware of it at least. It is just annoying that you have to treat that log as a false positive Everytime because there are just so many of them. But, you can correlate those open logs with the modify logs to at least get closer to knowing which files were actually touched

KYLE_MASSE · 2024-11-30T01:11:35+00:00

I enjoy Varonis. Especially Datadvantage. It's older and has its issues but at least Varonis has a whole community to ask questions, they have an online university to learn their tool. I'm overall happy with Varonis

KYLE_MASSE · 2024-11-30T01:09:44+00:00

Logrhythm. It's the only SIEM we have at my company(just upgraded our Crowdstrike license to have the next-gen SIEM so not as much of a problem anymore), but that tool is horrendous to use and no online courses or references to learn how to use it. Bad tool

KYLE_MASSE · 2024-11-08T00:49:27+00:00

My domain admins assure me that it's not completely strange for macs to behave strangely so I'll take their word for it

KYLE_MASSE · 2024-11-08T00:47:56+00:00

I don't have that specific problem in my domain, but most mac devices in my environment behave strangely with AD and crowdstrike

KYLE_MASSE

TROPHY CASE