Leveraging EventLog Analyzer's Threat Intelligence to mitigate risks after the CrowdStrike disruption part 2

Leveraging EventLog Analyzer's Threat Intelligence to mitigate risks after the CrowdStrike disruption part 2

Continuation of part 1


Steps you need to do to protect your network from attacks leveraging CrowdStrike Incident:

1. Detection: If you already have the Threat Analytics Add-on, the Default Threat Alert will capture any interaction with the above malicious sources. If you haven't enabled or purchased Advanced Threat Analytics add-on, and want to know if there are traces of the malicious domain, check out this guide to enable the add-on.  


2. Detection through static correlation or search: To check the traces in existing logs, paste the following search query in the Search tab:

( (  ( URL_SITE contains "crowdstrikebug.com,crowdstrikefail.com,crowdstrikeoopsie.com,crowdfalcon-immed-update.com" ) OR ( URL_SITE contains "supportfalconcrowdstrikel.com,crowdstrikeclaim.com,crowdstrikeoutage.com,crowdstrike0day.com" ) OR ( URL_SITE contains "crowdstrikedoomsday.com,crowdstrikedown.site,crowdstrike-helpdesk.com" ) OR ( URL_SITE contains "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com,isitcrowdstrike.com" ) OR ( URL_SITE contains "crowdstrikefix.zip.com,crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) OR ( URL_SITE contains "crowdstrikefail.com,crowdstrikebug.com,crowdstrikereport.com,crowdstrikeupdate.com" ) OR ( URL_SITE contains "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) ) AND  ( COMMON_REPORT_NAME = "web traffic" ) )




3. Threat analytics: Analyze the domains' presence, if any, through the Incident Workbench's advanced threat analytics window. If a system is seen to have the interaction, immediately isolate the infected machine.  Apart from our default ATA offering, we also offer consolidated insights from threat feeds like VirusTotal.



      Note: To implement the above, you need to enable Advanced Threat Analytics add-on in your EventLog Analyzer instance.

 4. Block the malicious domains: To proactively prevent malicious source interaction, you can associate the predefined workflow of blocking the domains on your firewalls. This helps you to immediately block the traffic to or from the malicious domains and stay secure.

 

 

Need assistance in configuring these? Do not hesitate to reach out to us.

Live Online Support 24/5

 

 








      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
              See all integrations
              New to ADManager Plus?
              See all integrations
              New to ADManager Plus?

                New to ADSelfService Plus?

                Start your free trial
                Start your free trial





                          Related Products