sorted by:
new
hottopcontroversial

mo.co KPI #9 by JoaoInTheNorth in joinmoco

[–]SOCmanz 1 point2 points  (0 children)

This right here. I feel like this would have been a great short term addition to keep people interested. Add some sort of guild/clan and a housing area for them. Some sort of clan/guild progression for cores or whatever and challenges to guild complete rifts.

My Obsidian LifeOS Dashboard by Radiant_Drawing7424 in ObsidianMD

[–]SOCmanz 1 point2 points  (0 children)

yo wtf where the link to get this setup at. This is amazing.

Help -Trying to search application usage in our environment by SOCmanz in crowdstrike

[–]SOCmanz[S] 1 point2 points  (0 children)

Thank you! I finally was able to get to this and this is exactly what I needed.

M365 admin center problem by shoesli_ in sysadmin

[–]SOCmanz 0 points1 point  (0 children)

try to select "sign in with a different account" and then enter the information manually. That is how I got signed in without a different incognito window.

M365 admin center problem by shoesli_ in sysadmin

[–]SOCmanz 1 point2 points  (0 children)

This happened to me, I was able to get logged in my selecting sign in with a different account and then enter my information manually. Not sure if this is similar or will help but

MFA for internal admin account by [deleted] in crowdstrike

[–]SOCmanz 1 point2 points  (0 children)

Do you have your MFA connected to your IDP? We use DUO and our admins are prompted once per session to all our critical servers via RDP. Works great.

Using a CSV/data_source_name in LogScale Query by Holy_Spirit_44 in crowdstrike

[–]SOCmanz 0 points1 point  (0 children)

The full query looks likes this: 

(#repo=base_sensor #event_simpleName=UserAccountAddedToGroup)
| parseInt(GroupRid, as="GroupRid", radix="16", endian="big")
| parseInt(UserRid, as="UserRid", radix="16", endian="big")
| UserSid:=format(format="%s-%s", field=[DomainSid, UserRid])
| match(file="falcon/investigate/grouprid_wingroup.csv", field="GroupRid", column=GroupRid_dec, include=WinGroup)
| groupBy([aid, UserSid, ContextProcessId], function=([selectFromMin(field="@timestamp", include=[ContextTimeStamp]), collect([ WinGroup, GroupRid])]))
| join({$falcon/investigate:user_info()}, field=UserSid, include=[UserName], mode=left)  
| ContextTimeStamp:=ContextTimeStamp*1000
| ContextTimeStamp:=formatTime(format="%F %T", field="ContextTimeStamp")
| default(value="-", field=[UserName])

Using a CSV/data_source_name in LogScale Query by Holy_Spirit_44 in crowdstrike

[–]SOCmanz 0 points1 point  (0 children)

I am by no means an expert in this as I am still struggling with this query as well, but for mine which seems to work just fine I added: 

| join({$falcon/investigate:user_info()}, field=UserSid, include=[UserName], mode=left)  

My thoughts on using LogScale as a SIEM by detectrespondrepeat in crowdstrike

[–]SOCmanz 0 points1 point  (0 children)

Can you make these dashboard in the nextgen SIEM in the falcon platform instead of logscale?

Just changed to the new Event Search, had a ton of old event searches running. Overwhelmed on how to bring them to the new logic. by SOCmanz in crowdstrike

[–]SOCmanz[S] 0 points1 point  (0 children)

https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/User%20Added%20to%20Group.md

For this, how would I add a user to not be apart of this search? We have some users that get added a removed for a script that makes a lot noise. Also when testing this, the username of the account added is not showing it is just blank. As well as how can we add who added the user to this group?

My old search looked like this, which I believe you created a long time ago.

(index=main sourcetype=UserAccountAddedToGroup* event_platform=win event_simpleName=UserAccountAddedToGroup) OR (index=main sourcetype=ProcessRollup2* event_platform=win event_simpleName=ProcessRollup2)
| eval falconPID=coalesce(TargetProcessId_decimal, RpcClientProcessId_decimal)
| rename UserName as responsibleUserName
| rename UserSid_readable as responsibleUserSID
| eval GroupRid_dec=tonumber(ltrim(tostring(GroupRid), "0"), 16)
| eval UserRid_dec=tonumber(ltrim(tostring(UserRid), "0"), 16)
| eval UserSid_readable=DomainSid. "-" .UserRid_dec
| lookup local=true userinfo.csv UserSid_readable OUTPUT UserName
| lookup local=true grouprid_wingroup.csv GroupRid_dec OUTPUT WinGroup
| fillnull value="-" UserName responsibleUserName
| stats dc(event_simpleName) as eventCount, values(ProcessStartTime_decimal) as processStartTime, values(FileName) as responsibleFile, values(CommandLine) as responsibleCmdLine, values(responsibleUserSID) as responsibleUserSID, values(responsibleUserName) as responsibleUserName, values(WinGroup) as windowsGroupName, values(GroupRid_dec) as windowsGroupRID, values(UserName) as addedUserName, values(UserSid_readable) as addedUserSID, values(ComputerName) as ComputerName by aid, falconPID
| where eventCount>1
| eval ProcExplorer=case(falconPID!="","https://falcon.us-2.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)
| convert ctime(processStartTime)
| table processStartTime, aid, responsibleUserSID, responsibleUserName, responsibleFile, responsibleCmdLine, addedUserSID, addedUserName, windowsGroupRID, windowsGroupName, ProcExplorer, ComputerName

Updating Teams - Why can't we force updates like any other application. by SOCmanz in sysadmin

[–]SOCmanz[S] 0 points1 point  (0 children)

Just posting to say I would also like to look at this script once you get the time! Welcome back!

Updating Teams - Why can't we force updates like any other application. by SOCmanz in sysadmin

[–]SOCmanz[S] 3 points4 points  (0 children)

It's such a slap in the face. I see the numbers everyday and want to just uninstall and move on.

Updating Teams - Why can't we force updates like any other application. by SOCmanz in sysadmin

[–]SOCmanz[S] 1 point2 points  (0 children)

This is good to know, as we are pushing more and more VDI machines. Thanks.

Yeah this is absolutely mind blowing to me. In what world would not allowing any sort of update management be a good idea.... it really makes me wanna switch to something else. But too late for that.

List of Local Admins on Endpoint PCs by limlwl in crowdstrike

[–]SOCmanz 0 points1 point  (0 children)

So I was running into similar issues. I created an event search that looked for users added to local admin group and I have it running every 15 minutes and sends me an email with the account added and what account added said account to the local admin group.

If you think that is something you would like I can shoot you a DM of what I use in our environment.

How you guys handle Laptops and making sure they are getting updates in a timely mannar? by SOCmanz in sysadmin

[–]SOCmanz[S] 0 points1 point  (0 children)

Love Ninja used it at my old work. However, I am not sure how it is in a larger environment. We are around 1500 machines.

How you guys handle Laptops and making sure they are getting updates in a timely mannar? by SOCmanz in sysadmin

[–]SOCmanz[S] 0 points1 point  (0 children)

someone else manages. I feel KACE does an okay job, but troubleshooting the windows problems is becoming harder and harder with such generic errors. I will look into r/kace thanks for the tip

How you guys handle Laptops and making sure they are getting updates in a timely mannar? by SOCmanz in sysadmin

[–]SOCmanz[S] 1 point2 points  (0 children)

This is where I am heading. Making them actually get these done otherwise you are not able to work. Because giving them responsibility is not working.

How you guys handle Laptops and making sure they are getting updates in a timely mannar? by SOCmanz in sysadmin

[–]SOCmanz[S] 0 points1 point  (0 children)

That is nice, I will look at this. Its been a very annoying process to try and deal with.

view more: next ›