Closed megancarney closed 3 years ago
freeload101
commented
3 years ago Thanks. I just noticed this added it today :P Do you have a repo I can keep an eye on or anything? GREAT stuff !
https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting
freeload101
commented
3 years ago Also insted of using a bunch of NOT NOT NOT NOT just use regex like this example @megancarney
regex DomainName!="(?i)adobe.com|google.com|COMPANY.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com|facebook\.com|COMPANY\.net|0\.0\.0\.0|rackcdn\.com|yammer\.com|COMPANY.com" I also have a top1million websites table from alexa.com
index=mimecast sourcetype=mimecastttpurlst action=allow scan_result=clean
| regex url="([A-Z|a-z|0-9]{8,30})"
| regex url!="\\\\|COMPANY.com|microsoft.com|atlassian.net|salesforce.com|quantumworkplace.com"
|rex field=url "(https|http):\/\/(?<url_short>(.*?))\/"
|rex field=url_short ".*\.(?<url_short>(.*?))"
| search url=* NOT [| inputlookup top-1m.csv | rename Domain AS url ]
|stats count values(url) dc(user_email_address) AS Email_Count by url_short
| where Email_Count <30
|sort -Email_Count
Not sure what you wanted in all the columns so I left some blank ... let me know if you need any more information. For posterity, based on research I did in https://www.megancarney.com/presentations/ExternalReport_ThreatHuntingMacOS.pdf.