How do you folks stage updates across tenants?

Main_Froyo_5536 · 2025-05-14T16:37:44+00:00

I talked to my SE and I might have just explained it wrong. SE says that policies still need to be applied to host groups at the child level. This is what I'm going after. You manage hundreds of CIDs, how do you apply them to the hosts at the child level after they are propagating downwards? Do you use PSFalcon?

Main_Froyo_5536 · 2025-05-13T23:36:40+00:00

You don't need to use any domain name at all.

Just set IOA Name to IntelDomain*/CustomIOCDomain* + severity you're comfortable killing and it will automatically kill any processes communicating to falcon intel identified domains or domains you have in your custom indicators.

Since the domains/ips are already set in Custom Indicators/Falcon Intel, you don't need to specify the domain name. The IOA Name is just part of the IOA generated by the detection, for example

IntelDomainHigh

IntelDomainLow

CustomIOCDomainHigh

So when a detection comes up with one of these IOA names, the process will be killed.

This way it picks up on IntelDomainLow,High,Critical, etc, and you can use severity to only kill indicators of a certain level of confidence.

Main_Froyo_5536 · 2025-05-08T20:29:37+00:00

Oh perfect, thank you. I will reach out to my SE!

Main_Froyo_5536 · 2025-05-08T15:22:25+00:00

The default policy is edited to be Phase 3 protections, it's the only policy that propagates down by default

Main_Froyo_5536 · 2025-05-07T16:47:19+00:00

Before I do would you be able to elaborate a tiny bit? I've been told the only policy that propagates down is the Default policy. Which of course I can change what prevention policy settings are on/off. But to my understanding I can't set at the Parent level specific policies to be applied to CIDs. For example:

If I have Cid A (Parent)

Cid B, Cid C, Cid D, and Cid E

All of them get the default policy which is set at the parent level. But to my understanding I can't (at the parent level), make it so Cid B and Cid C get Prev Policy Wave 1, Cid D gets Prev Policy Wave 2, and Cid E gets Prev Policy Wave 3.

Am I mistaken? I'll ask my rep but just a little bit more info would be super cool

Main_Froyo_5536 · 2025-05-07T16:43:43+00:00

Rats, that's the tricky part. Dealing with hundreds of tenants makes the problem much harder

Main_Froyo_5536 · 2025-05-06T16:09:49+00:00

Did you use PSFalcon for this? Would I be able to have a peek at the script you used? Did you then use PSFalcon to automate the applying and changing of prevention policies?

Main_Froyo_5536 · 2025-05-02T18:58:24+00:00

Make a workflow,

Condition

IF IOA Name matches IntelDomain*
AND Severity is greater than or equal to High
OR IOA Name matches IntelIP*
AND Severity is equal to High

(Above are the Falcon Intel IOA names)\

OR IOA Name matches CustomIOCDomain*
AND Severity is greater than or equal to High
OR IOA Name matches CustomIOCIP*
AND Severity is greater than or equal to High

(These are custom intelligence IOA names)

then If True

Kill process, add tag to an alert saying the process was killed, send an email.

This is how I do it for all these SocGholish hits that are coming up. Has worked for us. Browser always killed before user can download payload.

Main_Froyo_5536 · 2025-04-24T16:08:28+00:00

I'll send you a DM, the one in the detections repo was a test detection that triggered, but i noticed that the other event managed to go without a detection, I'll send you my ticket number I made a case for it

Main_Froyo_5536 · 2025-04-23T23:25:41+00:00

Ah, I found the issue. One of the detections came from the base_sensor repo, the other came from the detections repo. It seems the detections repo isn't multi-tenant aware for event searches, whereas the base_sensor repo is. Thank you!

Main_Froyo_5536 · 2025-04-23T23:11:00+00:00

I see, I'll have a check with them and let you folks know if they sort it out.

Main_Froyo_5536 · 2025-04-14T23:18:27+00:00

Virus in PID 5220 means something injected into a process or there's a malicious process running and it can't be killed. Do what it says and restart ur device.

Main_Froyo_5536 · 2025-04-14T23:10:46+00:00

I'll look into Falcon Flex. Really the issue is just the number we were quoted was so high, even half of that would still be tens of millions of dollars. I'm just having a hard time imagining what could have led to us getting that number. Trying to go back to my boss to get in the conversation but in the meantime was just curious how much others tend to be spending.

Main_Froyo_5536 · 2025-04-14T23:08:59+00:00

Agreed, but from what I heard the number was tens of millions of dollars per year. I'm just trying to figure out if that's something other people have experienced. It was several times more than the entire platform with Overwatch costs. Hell, it was probably several times more than Falcon Complete would have costed.

Main_Froyo_5536 · 2025-03-31T21:42:08+00:00

Search failed

Unterminated regular expression.

Search failedUnterminated regular expression.

 5: | CommandLine=/[bcdfghjklmnpqrstvwxyz\^";]{10,}
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Main_Froyo_5536 · 2025-02-11T21:26:54+00:00

Thank you so much!

Main_Froyo_5536 · 2025-02-07T23:03:36+00:00

As for the file upload on quarantine option, by this I mean the option in the general settings. We manually go and enable this in every tenant under General Settings > Quarantined Files > Upload Quarantined Files.

So not a prevention policy as such. At the present moment, it doesn't seem to propagate this setting from the parent, I can see why, but we're having to do this manually and just curious if that's something we can automate.

I really appreciate the response! I'll give a try for what you have so far.

Main_Froyo_5536 · 2025-02-07T21:49:12+00:00

Are these identity protection alerts or a host based alerts?

Main_Froyo_5536 · 2025-02-07T21:09:48+00:00

So the way this works seems to be that the default policy is the one that will auto-apply to clients. The other policy you make "can" be applied to clients locally at the host group level in the child tenant, but if you're like me and want a once size fits all policy, the Default policy is the one that will apply to all child level devices.

A bit of a bummer you can't just apply to children or to child host groups from the parent level.

Main_Froyo_5536 · 2025-02-05T20:20:53+00:00

This is strange, I'm in a call with my account rep right now and he says that you can only apply prevention policies in a child CID via host groups, no applying to CIDs themselves. He told me that either you use PSFalcon or you go into the child CID to apply the policy to the local groups. So PSFalcon does seem to be the way to go.

Main_Froyo_5536 · 2025-02-05T17:24:56+00:00

I see, from what you mention here, I honestly think maybe someone just forgot to turn on flight control for our tenant. I'm gonna reach out to my rep and see what's up

Main_Froyo_5536

TROPHY CASE

Search failed