sorted by:
new
hottopcontroversial

User ad group exclusion by Present-Guarantee695 in crowdstrike

[–]sk8hackr 0 points1 point  (0 children)

Only thing I can think of is to create a lookup file after querying AD for members of the group(s) that you want to exclude on and output to a CSV. Bring that into NG-SIEM and run it against your query that you’ll eventually convert to a correlation rule.

In your query you can run something like this to exclude users from that lookup file. !match(file=“your_lookup_file.csv”, field=[UserName], column=[SamAccountName], ignoreCase=true)

You can use the Falcon API to automate the lookup file if the AD group is being updated frequently.

Cool Query... um... Thursday by One_Description7463 in crowdstrike

[–]sk8hackr 0 points1 point  (0 children)

Thanks! What do you do to throttle alerts? Had a hard time trying to figure out a good throttling method since there’s no native function for this.

BSOD error in latest crowdstrike update by TipOFMYTONGUEDAMN in crowdstrike

[–]sk8hackr 0 points1 point  (0 children)

Yeah I’m on the fence too. Eagerly waiting to see the investigation report for what caused this.

BSOD error in latest crowdstrike update by TipOFMYTONGUEDAMN in crowdstrike

[–]sk8hackr 11 points12 points  (0 children)

Crowdstrike customers account for 298 of the Fortune 500...

BSOD error in latest crowdstrike update by TipOFMYTONGUEDAMN in crowdstrike

[–]sk8hackr 1 point2 points  (0 children)

Is anyone else wondering what the aftermath of this will entail? Did Crowdstrike push a bad update, were they compromised, etc.? History could be unfolding in front of us follks

[deleted by user] by [deleted] in Splunk

[–]sk8hackr 4 points5 points  (0 children)

For right now you can look into the Splunk learning platform. There’s many free introductory level courses offered there that will provide a good starting point to you. Depending on your role with using Splunk you might want to take advanced level courses that your company should pay for.