Introduction to Purple Teaming

Is your organization looking to validate the effectiveness of its security program? A purple team exercise may help measure your ability to detect and respond to a security incident before experiencing an actual incident.  A purple team exercise combines the capabilities of offensive (red) and defensive (blue) security operations. It’s not an actual team, but … Continue reading "Introduction to Purple Teaming"

Read More

10- Final Aesthetic Touches

Previous Step: Apply Token Search, Drilldown & Hide XML Panels Remove NA Values from visualizations You may have removed these values when addressing your filters, but if you haven’t… Take a look at your dashboard visualizations. Look for any “NA” values from the fillnull command. Edit the panel to include | search field!=NA before the … Continue reading "10- Final Aesthetic Touches"

Read More

09- Apply Token Search, Drilldown & Hide XML Panels

Previous Step: Create & Apply Base Search The next step is to apply your token search to each panel. I do not apply the token search to filters or the base search, just the individual panels. During this run through the XML, I also like to set the drilldown option to “all” on visualizations and  … Continue reading "09- Apply Token Search, Drilldown & Hide XML Panels"

Read More

06- Search & Dashboard Organization

Previous Step: Statistical Count and Timechart Panels When iterating between statistical and timechart commands it’s important to keep a pattern to enable easy organization of panels. For example, If i start with the action field, I’ll create a stats count and time chart count of action. Then maybe we have severity, where i’ll start with … Continue reading "06- Search & Dashboard Organization"

Read More

05- Statistic Count and Timechart Panels

Previous Step: Single Value Panels The purpose of our default dashboards is to enable our customers to start asking questions about their data. As a security analyst I found both statistical and timeline visualization can start to ask more questions about your data. This could translate into more concierge requests, which is the whole idea.  … Continue reading "05- Statistic Count and Timechart Panels"

Read More

04- Single Value Panels

Previous Step: Multi-Value Fields Now that we’ve established our base search, we can begin to create visualizations for our dashboard. Base Search: index::client* sourcetype::"CrowdStrike:Event:Streams:JSON" cs_event=DetectionSummaryEvent | fillnull value=NA | stats count by _time SeverityName bv_action DetectName DetectDescription user dest_ip dest dest_mac FileName MD5String CommandLine Tactic Technique PatternDispositionDescription PatternDispositionFlags_QuarantineFile  The first panels we create are single … Continue reading "04- Single Value Panels"

Read More

03- Multi-Value Fields

Previous Step: Fillnull & Table Command Using the table command will help identify duplicate values being parsed under a single event. To show this, we’ll use wineventlog.  Our search: index=* sourcetype=wineventlog | table _time EventCode ComputerName dest You can see EventCode and ComputerName are duplicate multi-value fields. It’s important to go through and address these … Continue reading "03- Multi-Value Fields"

Read More

02- Fillnull & Table Commands

Previous Step: Data Research Now we want to identify interesting fields associated with cs_event=DetectionSummaryEvent We’ll start by expanding our search to include the fillnull, and table command. Do not execute this search yet, just begin to craft it in the search bar: index=* sourcetype="CrowdStrike:Event:Streams:JSON" cs_event=DetectionSummaryEvent | fillnull value=NA | table If we do not use … Continue reading "02- Fillnull & Table Commands"

Read More