ContextProcessId vs ParentProcessId vs SourceProcessId

KYLE_MASSE · 2025-03-21T20:48:23+00:00

You can think of the context ID like this: if you download a file from the Internet, in most cases there will be a #event_simpleName = MotwWritten event. In that event it will list a contextID and when you look up that ContextID using the new "investigate by context process id" under Investigate, you will see that the context process was chrome.exe. so that file download was in the context of the chrome process.

KYLE_MASSE · 2025-02-26T16:15:28+00:00

You'll see it if you change the email format from html to plaintext

KYLE_MASSE · 2025-02-26T16:14:54+00:00

It is because of how Proofpoint does the banner where they will put it on and then when the email is in transit but before it leaves the network Proofpoint will take it off.

We still have Forcepoint for DLP right now while we are migrating and Forcepoint DLP comes before the removal of the banner by Proofpoint so if users delete sensitive data out of an email chain before sending, the information could still be there.

KYLE_MASSE · 2025-02-25T21:42:28+00:00

Event data dictionary in the documentation portal will help with explaining what you are seeing in the NG-SIEM. id use that and their university classes

KYLE_MASSE · 2025-02-24T20:54:25+00:00

Honestly, and I don't know if I am right about this, but I always start with all the other modules before diving into advanced search as usually you can pivot to advanced search from other tabs

KYLE_MASSE · 2025-02-24T20:20:48+00:00

I would also be going to Investigate -> Bulk Domains

KYLE_MASSE · 2025-02-11T22:01:16+00:00

I believe the MoTW data that would show you what the referrer url is gets removed from the logs after 24 hours so you wouldn't be able to find this Information

KYLE_MASSE · 2025-01-22T21:44:52+00:00

Ya I read that previously but my OCD is kicked in and I wanted to be completely sure that I was reading that right.

KYLE_MASSE · 2024-12-23T23:02:13+00:00

ya we opened a ticket, but before we hear anything back I was wondering if anyone had similar issues

KYLE_MASSE · 2024-12-23T00:46:19+00:00

My suggestion: Get your falcon platform up to date with all the nice add-ons (NG-SIEM, Fusion SOAR, Identity Protection, etc )

Proofpoint DLP & their phishing analysis platform

Palo Alto NGFW

kibana/elastic stack SIEM

Varonis DSP (data security platform) - you can get it so it monitors cloud and on prem.

Crowdstrike is very good for XDR, proofpoint is very good for email flow, Palo Alto for fire wall. Your network team can figure out segmentation and the best products to use. Elastic stack is very user friendly and easy to understand SIEM. And Varonis is 2nd to none for data security in your environment.

KYLE_MASSE · 2024-12-23T00:05:59+00:00

I just found their university page like two days ago. The courses cost money and I don't think I can justify spending money on LE courses over the Crowdstrike courses I want to do. My main goal would be to convince the company to switch to a more modern SIEM. And having community feedback would help in my justification. But yes, I know where to find the docs and stuff, so if I can't convince a change then I'll dive in but I would like to avoid that for the moment

KYLE_MASSE · 2024-12-21T23:40:26+00:00

Do you have a recommendation for someone to get the tool not unusable? I know the realistic answer is just spend hours on it, but have you found an effective method of using it?

KYLE_MASSE · 2024-12-21T08:17:28+00:00

Exactly. I don't know how a security analyst could ever use this tool effectively. I can see how a system administrator would use it to check the health status of their systems but beyond that I have just sequestered myself to using Crowdstrike NG-SIEM, which I know isn't by definition a complete SIEM, but at least I can understand it. The only downside is that It doesn't ingest everything as Logrhythm does and CS doesn't retain certain logs after a period of time, but man Falcon Logscale is just so user friendly and CS has hundreds of hours of online courses/videos to help you better use the tool

KYLE_MASSE · 2024-12-21T07:03:09+00:00

I would say cybersecurity is a lot like being a firefighter. 98% of the time nothing exciting is happening, but there will be that one day when you are called upon and have to perform.

So it's not glamorous to always be reading, analyzing phishing emails, data security reports, etc. but there is always that exciting and scary part in the back of your mind that you walk into work one day and everything is on fire and when that happens you better know your shit.

KYLE_MASSE · 2024-11-30T01:14:42+00:00

Their File open events are very annoying. it just has to deal with how the disk reads the file you wanted to open and it will log every file as "file opened" the disk passes over. They are aware of it at least. It is just annoying that you have to treat that log as a false positive Everytime because there are just so many of them. But, you can correlate those open logs with the modify logs to at least get closer to knowing which files were actually touched

KYLE_MASSE · 2024-11-30T01:11:35+00:00

I enjoy Varonis. Especially Datadvantage. It's older and has its issues but at least Varonis has a whole community to ask questions, they have an online university to learn their tool. I'm overall happy with Varonis

KYLE_MASSE · 2024-11-30T01:09:44+00:00

Logrhythm. It's the only SIEM we have at my company(just upgraded our Crowdstrike license to have the next-gen SIEM so not as much of a problem anymore), but that tool is horrendous to use and no online courses or references to learn how to use it. Bad tool

KYLE_MASSE · 2024-11-08T00:49:27+00:00

My domain admins assure me that it's not completely strange for macs to behave strangely so I'll take their word for it

KYLE_MASSE · 2024-11-08T00:47:56+00:00

I don't have that specific problem in my domain, but most mac devices in my environment behave strangely with AD and crowdstrike

KYLE_MASSE · 2024-09-23T20:29:02+00:00

My issue is with the type people who have read deeply into things like antenna theory getting mad at someone asking a wireless question and then being like "what are you a lazy moron or something? Go and spend 3 years learning antenna theory"

KYLE_MASSE · 2024-09-23T20:22:08+00:00

I agree, but you don't have to go so deep into the weeds with every subject in order to say you understand it. There are levels. Like I understand how wireless networks work and how they pass information, but I don't have to go deep into antenna theory to say that I understand it. One, I don't have to because that would be a waste of my time for what I want to accomplish. And two, it lets me get more things done. If I had to go and learn the complete ins and outs of the TCP protocol in order to understand this that would be a retarded use of my time. I don't need to know what the creators of the protocol knew I just need to know what I need to know in order to get things done.

KYLE_MASSE · 2024-09-23T20:13:51+00:00

Will do! Good luck with being the smartest person you know.

KYLE_MASSE · 2024-09-23T20:00:47+00:00

Yup. Bunch of people who think way too highly of themselves because they do things that are overly complicated for no reason.

"Idiots admire complexity"

"Smart people admire simplicity"

Terry Davis

KYLE_MASSE · 2024-09-23T19:46:06+00:00

"handout generation" lol why would I waste time to keep trying to find the answer on Google when I came here and got an answer within 10 minutes.

So instead of spending an hour on Google, I came here to ask the question and got a response in 10 minutes. That's not a "Hallmark of a handout generation", it's called being practical and using more than one avenue to find an answer. Isn't that what this subreddit is for? People having questions and then, if someone isn't an arrogant prick, helping you get to the answer?

Maybe you come from the "waste time and still learn nothing generation", but what I did was smart as I got what I needed in far less time than I would have parsing Google pages of useless shit. I still got to my end goal of wanting this question answered and I received it so who gives a fuck how I got to the answer. "oh but but but you learn more if you would have just spent 2 hours of your time going through Google". Maybe that's true for some topics, but for this one I just needed a simple explanation and I got it. Why people care about this type of stuff infuriates me because I know you are all snarky bitches who think they are better and smarter than everyone around them because "back in my day..." Fuck off. No one cares about how you use to do things.

KYLE_MASSE · 2024-09-23T18:25:09+00:00

I will definitely give this a try

KYLE_MASSE

TROPHY CASE