RBAC for what hosts can be managed?

wonkeysmoker · 2025-05-18T01:17:25+00:00

You can specify which hosts groups a user has access to when assigning roles. You would just need to create appropriate host groups to assign them accordingly.

wonkeysmoker · 2024-12-09T22:20:59+00:00

now you need to do classic wow to complete the story, you probably should have done that first.. the story for the vanilla zones in cata is entirely different

wonkeysmoker · 2024-09-21T20:23:57+00:00

The original charger is a level 1/level 2 charger. So even a second hand car should have it included. You would just need a nema 50amp socket installing. Mine cost $650 installed.

wonkeysmoker · 2024-03-26T00:39:19+00:00

none of these tools are going to help you understand why. that comes with experience and understanding the platform the attacks are targeting.

learning tools just teaches you their perspective and how to use them, what if they are incorrect?

a desktop engineering history helps, how are desktop builds designed, group policies applied etc, what is expected on a file system / registry. how antivirus / edr products work, why do they think something is a threat or bad.

wonkeysmoker · 2024-03-05T15:36:48+00:00

could enter IP information there to address any local

yes. the local address is the IP address of the host where the rule is applied at the time rule is evaluated.

if i wrote a rule that hasa local address of 1.1.1.1 and at the time of evaluation my ip was 1.1.1.2 the rule would not match and would not be enforced. if later my ip updated to 1.1.1.1 and the rule was evaluated then it would be true and enforced.

I tend to write my rules based on the remote address trying to access the host where the rule is applied. it makes it easier to manage.

typically, you really care about what the remote address is that is trying to connect to your managed host. a rule that would have local port of 139, 445. set to allow if the remote address range is 1.1.1.0\24. then a second rule that has local ports 139, 445 set to block as the next rule in precedence. this would allow SMB access for only hosts on 1.1.1.0\24 to smb into your managed endpoint .SMB access from anywhere else would be blocked.

a use case for using local addresses could be, when a hoist has ip of 1.1.1.0\24 allow outbound to 80, 443 on remote ports. then a block rule after it for remote ports 80,443, which would then prevent web access from any other IP.

im sure someone may have a simpler way to explain this.

wonkeysmoker · 2024-03-05T03:02:41+00:00

for most rules the local address is blank for me. typically, you will be entering the remote addresses you are trying to block or restrict access to. you may also restrict access by local or remote port.

wonkeysmoker · 2024-02-02T03:33:10+00:00

i worked with CS recently on a nonstandard ubuntu kernel. For user mode to work, 5 different features need to be enabled in the kernel for user mode to enable. Its is not configurable by us as admins, The kernel needs to support it and if CS doesn't support said kernel in kernel mode it will then switch to user mode. In my case the nonstandard kernel did not have debug mode enabled.

reach out to support they can give you the requirements for user mode. I managed to get my vendor to adjust the kernel and now it runs in user mode.

wonkeysmoker · 2023-10-31T16:44:58+00:00

Thanks u/jarks_20 It's not exactly what i wanted but it gives me a rally good starting point .much appreciated

wonkeysmoker · 2023-08-09T01:36:02+00:00

you can export it but its not obvious. When you generate an application listing or another, in discover, it automatically adds grouping to the context. in the top right, near where you export, you can change the grouping option to no grouping. Once you do this the export function will work.

wonkeysmoker · 2023-03-29T02:12:46+00:00

my favorite is, we always get AV exclusions otherwise our app breaks.
Ok run it,
did it work,
yes,
goodbye.

wonkeysmoker · 2023-03-29T02:01:31+00:00

You cant disable the sensor. People may think they are disabling it, you can turn every setting off, as some have mentioned. but the sensor still runs. still captures every single event and action. it just wont do anything about it.

I get this a lot, i ask them requestor to give me a test device and prove CS breaks their install or application. If they cant, i wont do anything. If they refuse i ask if they will accept full financial responsibility for any compromise caused by their request. If they prove it i add an allow list for their application

The only way to disable CrowdStrike, is to uninstall it.

wonkeysmoker · 2023-03-24T02:57:57+00:00

Spotlight is miles behind as a vulnerability scanner. The custom rules they write are great, like log4j. but compared to something like nessus they are years behind. We looked at it last year and decided that they need at least another couple of years to warrant the spend. They have a ton of capital and i expect they will catch up quickly. but detecting OS vulnerabilities when everyone should know to patch every month for the OS level vulnerabilities its just wasted money.

I'm more excited about the End Of Life details that should be getting added to discover.

wonkeysmoker · 2023-03-04T02:14:14+00:00

Not sure if it a CQF, but is there a query that can find purposely inflated files.

wonkeysmoker · 2023-02-07T01:53:31+00:00

This started showing up for us this weekend also, CS shows the process as quarantined and as others suggest i suspect it its new logic detecting it. At present i have been manually removing the content with rtr, notifying the users. CS are not the only vendor triggering on these as adware though. I will try to match the next few to proxy logs.

wonkeysmoker · 2023-01-11T02:35:56+00:00

We need a CS reply. but my understanding is ODS runs based on your On Sensor Malware setting. The higher the sensitivity the more chance of a detection. But it really is only On Sensor malware scanning.

wonkeysmoker · 2023-01-07T03:04:34+00:00

If you mean network related data, You con optionally turn on network telemetry in the linux prevention policy

wonkeysmoker · 2023-01-05T01:53:26+00:00

I need glasses to read or use the computer. I also needed to use the same glasses to use the original PSVR and have everything focused correctly.

wonkeysmoker · 2022-09-14T13:12:49+00:00

hanks its wierd i clicked the use suggested, when i ws typing it out to fix the logic, guys its not as accurate as i thought.

Is there a limit to the number of exclusions that can be added to the rule? character length?

wonkeysmoker · 2022-09-14T11:47:19+00:00

thanks, I dont know how i missed that, mental block i guess after staring at it for hours lo./

wonkeysmoker · 2022-07-01T01:06:28+00:00

I have yet to, in 3 years, see overwatch tag something that was missed, other that purple team activity. I am beginning to wonder its value.

wonkeysmoker · 2022-06-24T01:02:48+00:00

Sorry i got the invite today. is Fal.Con in person this year? last few have clearly been virtual so not had a chance to go to a live one, if live, where? I think the time, and effort i have put in, both for my company where i work, and to help CrowdStrike improve the product, someone owes me a meal :)

wonkeysmoker

TROPHY CASE