Leveraging Log360's Threat Intelligence to mitigate risks after the CrowdStrike disruption - Part 2

Leveraging Log360's Threat Intelligence to mitigate risks after the CrowdStrike disruption - Part 2

Continuation of part 1


Steps you need to do to protect your network from attacks leveraging CrowdStrike Incident:

1. Detection: If you already have the Threat Analytics Add-on, the Default Threat Alert will capture any interaction with the above malicious sources. If you haven't enabled or purchased Advanced Threat Analytics add-on, and want to know if there are traces of the malicious domain, check out this guide to enable the add-on.  


2. Detection through static correlation or search: To check the traces in existing logs, paste the following search query in the Search tab:

( (  ( URL_SITE contains "crowdstrikebug.com,crowdstrikefail.com,crowdstrikeoopsie.com,crowdfalcon-immed-update.com" ) OR ( URL_SITE contains "supportfalconcrowdstrikel.com,crowdstrikeclaim.com,crowdstrikeoutage.com,crowdstrike0day.com" ) OR ( URL_SITE contains "crowdstrikedoomsday.com,crowdstrikedown.site,crowdstrike-helpdesk.com" ) OR ( URL_SITE contains "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com,isitcrowdstrike.com" ) OR ( URL_SITE contains "crowdstrikefix.zip.com,crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) OR ( URL_SITE contains "crowdstrikefail.com,crowdstrikebug.com,crowdstrikereport.com,crowdstrikeupdate.com" ) OR ( URL_SITE contains "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" ) ) AND  ( COMMON_REPORT_NAME = "web traffic" ) )




3. Threat analytics: Analyze the domains' presence, if any, through the Incident Workbench's advanced threat analytics window. If a system is seen to have the interaction, immediately isolate the infected machine.  Apart from our default ATA offering, we also offer consolidated insights from threat feeds like VirusTotal.



      Note: To implement the above, you need to enable Advanced Threat Analytics add-on in your Log360 instance.

 4. Block the malicious domains: To proactively prevent malicious source interaction, you can associate the predefined workflow of blocking the domains on your firewalls. This helps you to immediately block the traffic to or from the malicious domains and stay secure.

 

Need assistance in configuring these? Do not hesitate to reach out to us.

Live Online Support 24/5

 

 








                New to ADSelfService Plus?