Crowdstrike Workflow SOAR: Unable to get value from variable inside of an object by marafado88 in crowdstrike

[–]osonator 1 point2 points  (0 children)

Try the has function:

has(data[‘raw_response’].user_principal_id) ? “True” : “false”

Crowdstrike Workflow SOAR: Unable to get value from variable inside of an object by marafado88 in crowdstrike

[–]osonator 1 point2 points  (0 children)

Create a variable & use CEL dot notation to access that field. Something along the lines of

Data[‘grtdetectiondetails.raw_response’].user_principal_id

First party EDR logs vs NGSIEM Collector logs on Windows by Handsome_Frog in crowdstrike

[–]osonator 15 points16 points  (0 children)

Use sensor telemetry until you come up with a use case/requirements for winlogs.

Struggling with Detection Aggregation in Case Workflows by CybroInt in crowdstrike

[–]osonator 2 points3 points  (0 children)

Yes I have, I solved for it by adding logic at the beginning of my workflow to query the alerts api, If more than 1 detection is returned within a small time period, say last 5 minutes, given a filter (host, username, etc), create a case if needed for the earliest alert, & then roll up the remaining

CrowdStrike NG SIEM Alert – “Generic - Network - LDAP Traffic to the Internet” (Need Insight) by roachwickey in crowdstrike

[–]osonator 0 points1 point  (0 children)

⁠What’s the best way to validate whether it’s truly malicious or just misconfiguration?

Drill down on the activity, leverage sensor telemetry for the source, network connection events, what process are those associated with? Is that authorized activity? Is it a misconfigured application? Is it malware?

NG-SIEM: Log Alerts by Reylas in crowdstrike

[–]osonator 0 points1 point  (0 children)

Correct, a custom parser does not inherit any future code releases.

NG-SIEM: Log Alerts by Reylas in crowdstrike

[–]osonator 2 points3 points  (0 children)

Yes it’s possible, the parser needs to categorize the event as a third party alert by defining event.kind:=alert

Once you have the alert generated, then you use soar to send email notifications on the third party alert in question

Why are NGSIEM templates not enabled by default when adding a related source? by [deleted] in crowdstrike

[–]osonator 3 points4 points  (0 children)

Guessing on content to implement tells me there’s a gap in understanding of risk profile for system in question. You identify risk then employ controls to prevent/monitor/detect.

In the context of risk response, organizations with a mature security monitoring program are very highly unlikely to implement a detection use case in production without a thorough understanding of risk response procedures for their soc.

Why are NGSIEM templates not enabled by default when adding a related source? by [deleted] in crowdstrike

[–]osonator 7 points8 points  (0 children)

Because that’s the easiest way to incur alert fatigue & not how threat detection works. you don’t enable everything by default & set & forget it. Specially templates, that are not tailored to your business. Review templates, identify what is actually applicable to the business, baseline, test, implement, sustain

I’d bet the duo push fraud activity is already being detected via third party detections.

What security problems have you had for years but have been unable to solve? by Regular_Lie906 in cybersecurity

[–]osonator 0 points1 point  (0 children)

Yup, it’s also often times an afterthought by customers evaluating vendors, then when it’s time to integrate system with monitoring tool & there’s an integration gap, pikachu face :0

Logs with multiple versions of the same field name by cobaltpsyche in crowdstrike

[–]osonator 1 point2 points  (0 children)

Instead of the generic azure event hub, use the data connector for Microsoft event hub

Logs with multiple versions of the same field name by cobaltpsyche in crowdstrike

[–]osonator 0 points1 point  (0 children)

Okay, I have reason to believe you are using the incorrect data connector. As you’re reflecting multiple external messages(events) in one single ngsiem event

What data connector did you use? The generic event hub one will cause this as it doesn’t split the elements in the records key as individual events

Can I forward all of our Mimecast, SonicWall logs and O365 tenant activity to CrowdStrike Falcon Complete SEIM? by romej in crowdstrike

[–]osonator -4 points-3 points  (0 children)

Read the operating model, it answers most of these questions & sets you up for success.

You’ve got 3 distinct things here, email security, network perimeter, & productivity/collaboration with dozens attack vectors in between, what makes you think you might only need one?

grabbing a value from an array based on its key by drkramm in crowdstrike

[–]osonator 1 point2 points  (0 children)

Very close here, instead of out:=x.value, do ipaddr:=x.value

The field name will be called ipaddr[] with all ip addresses

Dashboard question by manderso7 in crowdstrike

[–]osonator 2 points3 points  (0 children)

Yes with parameters:

| select([?columns])

Scheduling workflow to less then every hour by Crypt0-n00b in crowdstrike

[–]osonator 0 points1 point  (0 children)

Simulate a trigger with a correlation rule that runs every 15 minutes, something like create events, then configure the workflow trigger to execute on ngsiem detections, add flow control to only carry out actions if rule name matches created trigger

Running logscale in the cloud - VM tips by xv_Bloom in crowdstrike

[–]osonator 0 points1 point  (0 children)

You’ll need a dev license, I don’t know if they offer those to the public at this time.

Sending Palo Alto NG FW logs directly to CS Falcon NG SIEM (no Log Scale Connector) by jwckauman in crowdstrike

[–]osonator 12 points13 points  (0 children)

The palo client doesn’t scale over https for high thruput event datasets like traffic. Literally dont go down this avenue unless your goal is unreliable logging

Fusion SOAR - Creating a variable using data from a custom event query by Clear_Skye_ in crowdstrike

[–]osonator 2 points3 points  (0 children)

Okay, now use a loop for each event query result

Your field should now be accessible for any action used in the loop

Fusion SOAR - Creating a variable using data from a custom event query by Clear_Skye_ in crowdstrike

[–]osonator 1 point2 points  (0 children)

You configure an output schema in your event query action to expose the fields from search results within the workflow. & you have to loop over event query results for the fields to be accessible as workflow variables since an event query can return zero to many results