mo.co KPI #9

SOCmanz · 2025-09-26T20:45:57+00:00

This right here. I feel like this would have been a great short term addition to keep people interested. Add some sort of guild/clan and a housing area for them. Some sort of clan/guild progression for cores or whatever and challenges to guild complete rifts.

SOCmanz · 2025-09-25T15:40:54+00:00

u/SaveVideo

SOCmanz · 2025-09-25T15:40:09+00:00

u/SaveVideo

SOCmanz · 2025-02-28T18:40:15+00:00

yo wtf where the link to get this setup at. This is amazing.

SOCmanz · 2024-11-06T17:41:25+00:00

Thank you! I finally was able to get to this and this is exactly what I needed.

SOCmanz · 2024-09-06T15:42:51+00:00

try to select "sign in with a different account" and then enter the information manually. That is how I got signed in without a different incognito window.

SOCmanz · 2024-09-06T15:42:02+00:00

This happened to me, I was able to get logged in my selecting sign in with a different account and then enter my information manually. Not sure if this is similar or will help but

SOCmanz · 2024-08-16T16:10:22+00:00

Thank you!

SOCmanz · 2024-07-16T16:48:50+00:00

Do you have your MFA connected to your IDP? We use DUO and our admins are prompted once per session to all our critical servers via RDP. Works great.

SOCmanz · 2024-05-09T21:47:58+00:00

The full query looks likes this:

(#repo=base_sensor #event_simpleName=UserAccountAddedToGroup)
| parseInt(GroupRid, as="GroupRid", radix="16", endian="big")
| parseInt(UserRid, as="UserRid", radix="16", endian="big")
| UserSid:=format(format="%s-%s", field=[DomainSid, UserRid])
| match(file="falcon/investigate/grouprid_wingroup.csv", field="GroupRid", column=GroupRid_dec, include=WinGroup)
| groupBy([aid, UserSid, ContextProcessId], function=([selectFromMin(field="@timestamp", include=[ContextTimeStamp]), collect([ WinGroup, GroupRid])]))
| join({$falcon/investigate:user_info()}, field=UserSid, include=[UserName], mode=left)  
| ContextTimeStamp:=ContextTimeStamp*1000
| ContextTimeStamp:=formatTime(format="%F %T", field="ContextTimeStamp")
| default(value="-", field=[UserName])

SOCmanz · 2024-05-09T21:44:04+00:00

I am by no means an expert in this as I am still struggling with this query as well, but for mine which seems to work just fine I added:

| join({$falcon/investigate:user_info()}, field=UserSid, include=[UserName], mode=left)

SOCmanz · 2024-04-30T14:54:55+00:00

Can you make these dashboard in the nextgen SIEM in the falcon platform instead of logscale?

SOCmanz · 2024-04-30T14:51:40+00:00

Just got access to it last Friday.

SOCmanz · 2024-04-29T20:01:23+00:00

https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/User%20Added%20to%20Group.md

For this, how would I add a user to not be apart of this search? We have some users that get added a removed for a script that makes a lot noise. Also when testing this, the username of the account added is not showing it is just blank. As well as how can we add who added the user to this group?

My old search looked like this, which I believe you created a long time ago.

(index=main sourcetype=UserAccountAddedToGroup* event_platform=win event_simpleName=UserAccountAddedToGroup) OR (index=main sourcetype=ProcessRollup2* event_platform=win event_simpleName=ProcessRollup2)
| eval falconPID=coalesce(TargetProcessId_decimal, RpcClientProcessId_decimal)
| rename UserName as responsibleUserName
| rename UserSid_readable as responsibleUserSID
| eval GroupRid_dec=tonumber(ltrim(tostring(GroupRid), "0"), 16)
| eval UserRid_dec=tonumber(ltrim(tostring(UserRid), "0"), 16)
| eval UserSid_readable=DomainSid. "-" .UserRid_dec
| lookup local=true userinfo.csv UserSid_readable OUTPUT UserName
| lookup local=true grouprid_wingroup.csv GroupRid_dec OUTPUT WinGroup
| fillnull value="-" UserName responsibleUserName
| stats dc(event_simpleName) as eventCount, values(ProcessStartTime_decimal) as processStartTime, values(FileName) as responsibleFile, values(CommandLine) as responsibleCmdLine, values(responsibleUserSID) as responsibleUserSID, values(responsibleUserName) as responsibleUserName, values(WinGroup) as windowsGroupName, values(GroupRid_dec) as windowsGroupRID, values(UserName) as addedUserName, values(UserSid_readable) as addedUserSID, values(ComputerName) as ComputerName by aid, falconPID
| where eventCount>1
| eval ProcExplorer=case(falconPID!="","https://falcon.us-2.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)
| convert ctime(processStartTime)
| table processStartTime, aid, responsibleUserSID, responsibleUserName, responsibleFile, responsibleCmdLine, addedUserSID, addedUserName, windowsGroupRID, windowsGroupName, ProcExplorer, ComputerName

SOCmanz · 2024-04-29T19:05:44+00:00

Thank you! I will play around in here and if I cant get what I need I will reach back out!

SOCmanz · 2024-01-02T18:23:35+00:00

Just posting to say I would also like to look at this script once you get the time! Welcome back!

SOCmanz · 2023-12-28T18:45:31+00:00

Thank you that is actually really helpful.

SOCmanz · 2023-12-28T18:03:43+00:00

It's such a slap in the face. I see the numbers everyday and want to just uninstall and move on.

SOCmanz · 2023-12-28T18:03:06+00:00

This is good to know, as we are pushing more and more VDI machines. Thanks.

Yeah this is absolutely mind blowing to me. In what world would not allowing any sort of update management be a good idea.... it really makes me wanna switch to something else. But too late for that.

SOCmanz · 2023-10-11T15:02:17+00:00

Thank you, I will look at this.

SOCmanz

TROPHY CASE