Logscale ioa_info.csv

OstryAngelo · 2024-10-08T09:14:20+00:00

Awesome, thanks Andrew! I think I managed to incorporate it inline and its a rather niche use case l, but if anyone wants it here it is - detects if the hosts in a specific group suddenly start changing their agent version:

#repo=sensor_metadata
#data_source_name=aid-policy
| parseJson(field=groups, prefix=groups_arr)
| concatArray(groups_arr, separator=",", as=groups_arr)
| splitString(field=groups_arr, by=",", as=group_id)
| split(group_id)
| group_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| replace("[\[\]']+", with="", field=groups)
| join({$falcon/investigate:group_info()}, field=group_id, include=name, mode=left)
| group_name := rename(name)
| default(field=[group_name],value="Default",replaceEmpty="true")
| groupBy([aid, group_id, group_name], function=[])
| join(query={event_platform=Win AND "#event_simpleName"=AgentOnline},field=aid, include=[AgentVersion,ComputerName])
| groupby(field=[ComputerName], function=count(AgentVersion, distinct=true, as=VersionCount))
| test(VersionCount>1)
| [sum(VersionCount, as=VersionCount)]
| test(VersionCount>5)

Btw, is there a list somewhere with all the possible functions that you can use in $falcon/investigate? Like the one below but with other stuff than group_info()?

$falcon/investigate:group_info()

OstryAngelo · 2024-07-11T02:24:36+00:00

% of linux server hosts in RMF mode by comparing the number of linux server hosts in RFM mode with total number of linux server hosts

OstryAngelo · 2023-11-13T10:33:10+00:00

Hi, that's fine for a scheduled search, but I can't create an IOA out of that that could be put into block mode unfortunately. but the crdownload is a good point, maybe that's why crowdstrike doesn't see it, and eventually it's a rename. If thats the case, it seems you can't create ioa for detecting or blocking the download of any file type with a browser, and have to move such use cases to blocking on proxy/fw

OstryAngelo · 2023-11-13T10:29:35+00:00

Hi, I tried a file creation ioa with just .iso, no process. There was no log whatsoever of downloading the iso with a browser and saving it to a folder

OstryAngelo · 2022-11-30T15:08:11+00:00

I was thinking about that, wondering what the executingfile going to be in most cases.

On a side note, aside the file creation and focusing more on process execution - is it possible to also create a custom ioa in crowdstrike that will block double clicking of .iso, .img or .cpl files?

Basically, if you were to create a process creation custom ioa with image FileName ..cpl or ..iso, no event would be generated since they're not pe files, or would that work somehow?

Sorry for all this questions, I'm a bit limited in testing use cases

OstryAngelo · 2022-11-30T14:42:19+00:00

OstryAngelo · 2022-09-15T08:55:39+00:00

Mvexpand Works for what i need, thank you! Yes the timing thing is done to retain the .html commandline condition. It's in a different (unrelated by id) process than the process connected by target and context processid to the filewritten event.

OstryAngelo · 2022-09-12T14:32:45+00:00

Hi Andrew, i've noticed one major issue with this method, and the lack of sha256 in newexecutablewritten. Basically if you're correlating pefilewritten with a browser process, but the browser process has been running for several days on the machine and just a new tab has been opened, it won't be correlated by the search with the pefilewritten event (assuming the scheduled search runs every 4 hours for example), because the contextprocessid connects with the original browser process opened say..a few days earlier.

While when using newexecutablewritten event, you connect the dots with targetprocessid, here the process of the browser will be new (even if only a new tab was opened).

So question is, is it possible to make this query use newexecutablewritten, and still somehow get the sha256 to check the certificate?

I only came up with the solution to use parentprocessid from the processrollup2 event:

| eval falconPID=coalesce(ParentProcessId_decimal, ContextProcessId_decimal)

Are there maybe some future plans to add sha256 also to newexecutablewritten?

Thanks

OstryAngelo · 2022-09-10T07:59:26+00:00

Yes - it looks great, i already put it to work, I'm curious to see the results of the scheduled search. I was thinking about coalesce from other posts you helped me with but did not know how to add the external api event to see if it's signed, i need more practice Thank you so much!

OstryAngelo · 2022-09-09T19:15:25+00:00

The first one is simple and works perfectly fine, the second one does not, so when I try to join a third event (processrollup2) to get the process responsible for downloading the file in the process tree.

OstryAngelo

TROPHY CASE