Leveraging Log360 Cloud's Threat Intelligence to mitigate risks after the CrowdStrike disruption - Part 2

Leveraging Log360 Cloud's Threat Intelligence to mitigate risks after the CrowdStrike disruption - Part 2

Continuation of part 1


Steps you need to do to protect your network from attacks leveraging CrowdStrike Incident:

1. Detection: If you already have the Threat Analytics Add-on, the Default Threat Alert will capture any interaction with the above malicious sources. If you haven't enabled or purchased Advanced Threat Analytics add-on, and want to know if there are traces of the malicious domain, check out this guide to enable the add-on.  


2. Detection through static correlation or search: To check the traces in existing logs, paste the following search query in the Search tab:

( (  ( URL_SITE contains "crowdstrikebug.com,crowdstrikefail.com,crowdstrikeoopsie.com,crowdfalcon-immed-update.com" ) OR ( URL_SITE contains "supportfalconcrowdstrikel.com,crowdstrikeclaim.com,crowdstrikeoutage.com,crowdstrike0day.com" ) OR ( URL_SITE contains "crowdstrikedoomsday.com,crowdstrikedown.site,crowdstrike-helpdesk.com" ) OR ( URL_SITE contains "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com,isitcrowdstrike.com" ) OR ( URL_SITE contains "crowdstrikefix.zip.com,crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) OR ( URL_SITE contains "crowdstrikefail.com,crowdstrikebug.com,crowdstrikereport.com,crowdstrikeupdate.com" ) OR ( URL_SITE contains "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) ) AND  ( COMMON_REPORT_NAME = "web traffic" ) )




3. Threat analytics: Analyze the domains' presence, if any, through the Incident Workbench's advanced threat analytics window. If a system is seen to have the interaction, immediately isolate the infected machine.  Apart from our default ATA offering, we also offer consolidated insights from threat feeds like VirusTotal.



      Note: To implement the above, you need to enable Advanced Threat Analytics add-on in your Log360 Cloud instance.

Need assistance in configuring these? Do not hesitate to reach out to us.

Live Online Support 24/5

 

 









                  New to ADSelfService Plus?