Leveraging Log360 Cloud's Threat Intelligence to mitigate risks after the CrowdStrike disruption - Part 2
1. Detection: If you already have the Threat Analytics Add-on, the Default Threat Alert will capture any interaction with the above malicious sources. If you haven't enabled or purchased Advanced Threat Analytics add-on, and want to know if there are traces of the malicious domain, check out this guide to enable the add-on.
2. Detection through static correlation or search: To check the traces in existing logs, paste the following search query in the Search tab:
( ( ( URL_SITE contains "crowdstrikebug.com,crowdstrikefail.com,crowdstrikeoopsie.com,crowdfalcon-immed-update.com" ) OR ( URL_SITE contains "supportfalconcrowdstrikel.com,crowdstrikeclaim.com,crowdstrikeoutage.com,crowdstrike0day.com" ) OR ( URL_SITE contains "crowdstrikedoomsday.com,crowdstrikedown.site,crowdstrike-helpdesk.com" ) OR ( URL_SITE contains "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com,isitcrowdstrike.com" ) OR ( URL_SITE contains "crowdstrikefix.zip.com,crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) OR ( URL_SITE contains "crowdstrikefail.com,crowdstrikebug.com,crowdstrikereport.com,crowdstrikeupdate.com" ) OR ( URL_SITE contains "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) ) AND ( COMMON_REPORT_NAME = "web traffic" ) )
3. Threat analytics: Analyze the domains' presence, if any, through the Incident Workbench's advanced threat analytics window. If a system is seen to have the interaction, immediately isolate the infected machine. Apart from our default ATA offering, we also offer consolidated insights from threat feeds like VirusTotal.
Note: To implement the above, you need to enable Advanced Threat Analytics add-on in your Log360 Cloud instance.
Need assistance in configuring these? Do not hesitate to reach out to us.