Created
July 22, 2024 10:41
-
-
Save PeterGabaldon/9c062d861f702748b37f728c614666be to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Version 8.6 - 4:06PM EST 7/21/24 | |
| // Get ConfigStateUpdate and SensorHeartbeat events | |
| #event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win | |
| | cid=?cid | |
| // Splitting aid list for large customers | |
| | regex(field=aid, regex=?aidsubset) | |
| // Parse ConfigStateUpdate and extract Channel File 291 version number; accept all SensorHeartbeat events and rename timestamp field | |
| | case{ | |
| #event_simpleName=ConfigStateUpdate | regex("\|1,123,(?<CFVersion>.*?)\|", field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16); | |
| #event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]); | |
| } | |
| // Create counters for events that occured within impact window on July 19, 2024 | |
| | case{ | |
| #event_simpleName=ConfigStateUpdate | @timestamp>1721362140000 AND @timestamp<1721370420000 | CSUcounter:=1; | |
| #event_simpleName=SensorHeartbeat | LastSeen>1721362140000 AND LastSeen<1721370420000 | SHBcounter:=1; | |
| *; | |
| } | |
| // Aggregate results by Agent ID (aid) value and extract maximum Channel File 291 version per Customer ID (cid) | |
| | groupBy([cid], function=[groupby(aid, function=([ | |
| {selectLast(CFVersion)}, | |
| {selectFromMax(field="@timestamp", include=[@timestamp, ComputerName, aip, LocalAddressIP4, ConfigBuild]) | rename(field="@timestamp", as="LastSeen")}, | |
| {#event_simpleName=SensorHeartbeat LastSeen>1721370420000 | count(as=TotalSHB)}, | |
| max(CSUcounter, as=CSUcounter), | |
| max(SHBcounter, as=SHBcounter) | |
| ]), limit=max), | |
| max(CFVersion, as=MaxCFVersion) | |
| ], limit=max) | |
| // Set default values for CSUcounter and SHBcounter | |
| | default(value="0", field=[CSUcounter,SHBcounter]) | |
| // Parse sensor build number from ConfigBuild | |
| | ConfigBuild=/\d+\.\d+\.(?<BuildNumber>\d+)\./ | |
| // Calculate time between LastSeen value of every Agent ID and current time | |
| | LastSeenDelta:=now()-LastSeen | |
| // Calculate duration between LastSeen and now | |
| | LastSeenDelta:=formatDuration("LastSeenDelta", precision=2) | |
| // Enrich aggregation results with aid_master details if available | |
| | aid=~match(file="aid_master_main.csv", column=[aid], strict=false) | |
| | aid=~match(file="aid_master_details.csv", column=[aid], include=[FalconGroupingTags, SensorGroupingTags, ChassisType], strict=false) | |
| // Move ProductType to human-readable format | |
| | $falcon/helper:enrich(field=ProductType) | |
| // Prepare ChassisType to be moved to human-readable format after Falcon Helper update | |
| | $falcon/helper:enrich(field=ChassisType) | |
| // Set default values for systems not found in aid_master file | |
| | default(value="-", field=[MachineDomain, OU, SiteName, FalconGroupingTags, SensorGroupingTags, ChassisType, ProductType], replaceEmpty=true) | |
| // Set default value for CFVersion if there is no ConfigStateUpdate event in window | |
| | default(value="-", field=[CFVersion]) | |
| // Explain what hard coded timestamp values map to | |
| /* | |
| 1721362140000 is Friday, July 19, 2024 04:09:00 UTC and represents the start of the impact window | |
| 1721366820000 is Friday, July 19, 2024 05:27:00 UTC and represents the end of the impact window | |
| 1721370420000 is Friday, July 19, 2024 06:27:00 UTC and represents the end of the impact window + 1 hour as a buffer | |
| */ | |
| // EVALUATIONS USED TO CHECK SENSOR CONDITION BASED ON ABOVE AGGREGATION // | |
| | case{ | |
| // GOOD: Endpoint running sensor version below 7.11 | |
| BuildNumber<18110 | Status:="OK" | Code:=8 | Details:="Endpoint running version of Falcon sensor that is not impacted."; | |
| // GOOD: Accounts for systems beleived to be known good. | |
| test(CFVersion==MaxCFVersion) | Status:="OK" | Code:=1 | Details:="Endpoint has latest channel file and is operational."; | |
| // GOOD: Accounts for systems that are belived to be offline during impact window | |
| CSUcounter=0 AND SHBcounter=0 | Status:="OK" | Code:=2 | Details:="Endpoint was offline and did not receive channel file during impact window."; | |
| // GOOD: Accounts for systems that are beleived to be online during impact window, but did not interact with CF 291 | |
| CSUcounter=0 AND SHBcounter=1 | Status:="OK" | Code:=3 | Details:="Endpoint was online and did not receive channel file during impact window."; | |
| // HARD DOWN: Accounts for systems with CFVersion of 0, but NOT checked in after impact window. | |
| CFVersion=0 AND LastSeen<1721370420000 | Status:="DOWN" | Code:=4 | Details:="Endpoint has channel file version of 0 and has not checked-in after impact window."; | |
| // POSSIBLE SELF-RECOVERY : Accounts for systems that interacted with CF 291, but has checked in after impact window | |
| CSUcounter=1 AND LastSeen>1721370420000 AND TotalSHB>600 | Status:="OK" | Code:=5 | Details:="Endpoint received channel file during impact window and has checked-in after impact window a total reported uptime of 20+ hours."; | |
| // POSSIBLE SELF-RECOVERY : Accounts for systems that interacted with CF 291, but has checked in after impact window | |
| CSUcounter=1 AND LastSeen>1721370420000 AND TotalSHB>300 | Status:="RECOVERY_VERY_LIKELY" | Code:=6 | Details:="Endpoint received channel file during impact window and has checked-in after impact window a total reported uptime of 10-20 hours."; | |
| // POSSIBLE SELF-RECOVERY : Accounts for systems that interacted with CF 291, but has checked in after impact window | |
| CSUcounter=1 AND LastSeen>1721370420000 AND TotalSHB>150 | Status:="RECOVERY_LIKELY" | Code:=7 | Details:="Endpoint received channel file during impact window and has checked-in after impact window with a total reported uptime of 5-10 hours."; | |
| // POSSIBLE SELF-RECOVERY OR BOOT LOOP: Accounts for systems that interacted with CF 291, but has checked in after impact window | |
| CSUcounter=1 AND LastSeen>1721370420000 | Status:="VERIFY" | Code:=9 | Details:="Endpoint received channel file during impact window and has checked-in after impact window."; | |
| // HARD DOWN: Accounts for systems that interacted with CF 291 and appear to be offline since time of impact | |
| CSUcounter=1 AND LastSeen<1721370420000 | Status := "DOWN" | Code:=10 | Details:="Endpoint received channel file during impacted window, but endpoint has NOT checked-in after impact window."; | |
| // UNKNOWN: Accounts for systems that status can not be determined based on rules and telemetry | |
| * | Status:="UNKNOWN" | Code:=0 | Details:="Cannot determine endpoint status based on available telemetry."; | |
| } | |
| // Convert FirstSeen time to human-readable format; results in UTC | |
| | FirstSeen:=formatTime(format="%F %T %Z", field="FirstSeen") | |
| // Convert LastSeen time to human-readable format; results in UTC | |
| | LastSeen:=formatTime(format="%F %T %Z", field="LastSeen") | |
| // Create dynamic filters for use in dashboard | |
| | Status=?Status | |
| | wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) | |
| | wildcard(field=aid, pattern=?aid, ignoreCase=true) | |
| | ProductType=?ProductType | |
| // Create one final groupBy for easier export to CSV | |
| | groupby([aid, ComputerName, Status, Code, LastSeen, CFVersion, MaxCFVersion, TotalSHB, LastSeenDelta, Details, AgentVersion, aip, FalconGroupingTags, LocalAddressIP4, MAC, MachineDomain, OU, ProductType, SensorGroupingTags, SiteName, SystemManufacturer,SystemProductName, Version, ChassisType, FirstSeen, cid, event_platform], limit=max, function=[]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment