Closed alexmartin0800 closed 2 years ago
bk-cs
commented
2 years ago As of today, I'm not aware of any Falcon APIs that provide the ability to make changes within the Azure Sentinel environment. Based on the description of your query, it seems like this would all need to happen within Sentinel, which PSFalcon has no interaction with. Does that seem correct?
alexmartin0800
commented
2 years ago Yes, thanks for your assistance
bk-cs
commented
2 years ago I'm not sure how I can help with this.
"Online in CrowdStrike" is relatively easy to determine using Get-FalconHost and the last_seen property. Past that, you would need to have a way to interact with Azure. PSFalcon won't be able to do any of the Azure interaction, and I have no plans to add that functionality within PSFalcon (because this module is meant to work with the Falcon APIs alone).
Description of your question This has surfaced when we noticed a certain individual has not return his/her work laptop to the company after they left.
As he/she was using an old account, login to windows would still work as the machine was at home and not contacted the corp network.
We would like to leverage the API connection between Crowdstrike and Azure Sentinel to allow an analytic rule to be in place for when an account is disabled in Azure Sentinel (through Audit Logs) that if the machine remains online within CrowdStrike, that it flags in Azure Sentinel and creates an Alert/Incident.
The analytic rule currently stands at below without using any connection to the CrowdStrike Services
let watchlist = _GetWatchlist("keyStakeholders"); AuditLogs | where OperationName == "Disable account" | extend accountDisabled = tostring(TargetResources[0].userPrincipalName) | where (accountDisabled has_any(watchlist))
We currently already have an API connection that provides other information from CrowdStrike to Sentinel.
Environment (please complete the following information):