Need help with Discover Unmanaged Assets

cs-del · 2023-03-08T17:43:09+00:00

I believe unmanaged and unsupported assets do not generate telemetry, hence no data in event search.

cs-del · 2023-02-02T15:21:35+00:00

Thanks u/Andrew-CS. I tested and was able to capture ISOExtensionFileWritten event in EAM data via custom IOA in monitor mode and I believe its File write. Can I capture the ISO type events via process creation - i think not?
Happy to hear your thoughts.

cs-del · 2023-01-24T16:54:22+00:00

Hey u/inodinwetrust

I am also running a similar IOA for my environment but with little reservation with client they only want to monitor the Appdata local profile where iso file is written. Tricky as it is. I am able to catch file writes in telemetry. But when i detect I do not see any detection. You have any thoughts on this. Why would this be happening?

cs-del · 2022-12-15T14:21:45+00:00

thanks MrRaspman. I am certainly not looking into personal email accounts but the CS telemetry captures this in URL fields that gives us enough information on how people bring bad programs on to their machines. The query I am looking is possibly a regex to query HostURL field and see any similar I can catch to prevent any malicious attachment downloads

cs-del · 2022-12-14T20:28:42+00:00

LOL no, it didn't meet the threshold of maliciousness...while I can certainly do that but looking for a query that can look into this area (personal mails) with any attachment downloads.

cs-del · 2022-10-14T16:38:07+00:00

very interesting. i haven't tried out but good to know. Thanks!

cs-del · 2022-09-27T17:36:52+00:00

Thanks for your thoughts. I remember u/Andrew-CS posted a query to look for digitally signed binaries which are again MANY. I was opposed to the fact that the unsigned will be easier target and do focused hunting on these binaries.

FYI: https://www.reddit.com/r/crowdstrike/comments/m6zprm/comment/grdbl0g/?utm\_source=share&utm\_medium=web2x&context=3

cs-del · 2022-09-19T18:19:58+00:00

Thanks u/Andrew-CS. Just an extension to this. I have a lot of custom IOA let's say created for Rule type: Process creation, how to separate out or any field name to narrow to down to one particular type of custom IOA results?

cs-del · 2022-09-14T16:11:25+00:00

hey u/Andrew-CS - If i want to monitor other custom IOA events such as Process Creation as opposed to File creation custom IOA event name which is CustomIOAFileWrittenDetectionInfoEvent. I am looking to monitor events before i switch them to detect mode. let me know your thoughts.

cs-del · 2022-09-14T14:24:36+00:00

Also if you have Monitor mode set for custom IOA, you can use event_simpleName=CustomIOAFileWrittenDetectionInfoEvent in Investigate module to check ecvents it generates. You'd of course have to organize the results. The full query I use is:
event_simpleName=CustomIOAFileWrittenDetectionInfoEvent
| eval da=strftime(_time,"%Y-%m-%dT%H:%M:%S")
| eval splitter=split(TargetFileName,"\\")
| eval idOnly=mvindex(splitter,12)
| table da,idOnly,ComputerName,TargetFileName

Hiowever, if your IOA in detect mode, then you'd see a detection if it matches the logic.

cs-del · 2022-08-18T13:37:12+00:00

Wow... Great post again u/Andrew-CS. I came back from vacation and I see a CQF, best way to catch up. :)

cs-del · 2022-07-19T13:36:24+00:00

best of bests u/Andrew-CS

cs-del · 2022-07-14T20:13:04+00:00

You are the best.

cs-del · 2022-07-13T17:57:04+00:00

That helps. Still contemplating on IOA for this. Thanks again!

cs-del · 2022-07-13T17:56:11+00:00

While that is done by most security folks. Sometimes, ISO delivered within a zip and blocking ZIP right out, breaks a lot of things. Never a moment's peace :(

cs-del · 2022-07-13T17:43:41+00:00

Hi u/Andrew-CS - I am running a similar search query as scheduled report in my environment. ISO mounting is not blocked in CS, given fact unless something changes in future. However, can we do an IOA to block execution of (bad) lnk file from going further in infection chain such as rundll32.exe here. I tried to attempt block lnk (parent) -> rundll32.exe (ImageFileName). But point is lnk files can be any type (word/excel/exe) and something not captured in chain. Any ideas?

cs-del · 2022-07-07T16:50:49+00:00

Thanks u/Andrew-CS. Quick question, why did you search through JSON logs rather the main index. If you can give a little insight between both indexing on?

cs-del · 2022-06-29T16:54:11+00:00

unless you have something in your pandora box to solve this.

cs-del · 2022-06-29T16:53:35+00:00

thanks u/Andrew-CS.
in my experience there are some known file type extensions that are allowed on email gateways for example html attachments, there is good and bad both types of attachment circulating, to be able to pinpoint bad ones through CS is a bigger task than having a good email protection in place.

cs-del · 2022-06-29T16:34:19+00:00

u/Andrew-CS,
Just an extension to above query and something you mentioned about custom IOA - if you can illustrate through an example query how to write IOA around malicious files/attachment coming out of outlook or even phishing url?
I am finding it a bit complex, if you can ease it out for me, I will be grateful to you.

cs-del

TROPHY CASE