About afurze

Bbucao is correct, what is executing is not the .py file, but the python interpreter, so you can't blacklist a python script directly. ... View more

Hello everyone,   We have received a number of TAC cases regarding this issue and our engineering team is aware and working to address. ... View more

Hi RFeyertag,   Please reach out to your SE/account team for discussions on product feedback and roadmap. ... View more

Hi A_Adamski,   Please open a TAC case via the Customer Support Portal for assistance on this issue. ... View more

  1 create_new 2 open 3 rename 4 link 5 remove 6 write 7 set_attribute 8 dir_create 9 dir_open 10 dir_rename 11 dir_link 12 dir_remove 13 dir_write 14 dir_set_attr 15 reparse 16 set_sec 17 dir_set_sec 18 change_mode 19 dir_change_mode 20 change_owner 21 dir_change_owner 22 dir_query ... View more

That's correct, creating a new install package and running it would be a fresh install. ... View more

Hi Cyber1985,   If you have a Pro per Endpoint license then the Analytics Engine will identify this sort of thing for you, here are some relevant Analytics alerts that can fire: Execution of a renamed LOLBIN  Recurring access to a rare IP  PowerShell runs suspicious base64 encoded command  Each of these alerts will generate incidents if they fire within your tenant.  If you want to create your own XQL search you can go to Incident Response -> Query Builder -> XQL Search, here you can paste the query from the second article you linked and then you have the option to Run, Run in Background, Save or Schedule.  If you want this to generate alerts if data is returned, you can save it as a correlation rule and it will then be run periodically and can create incidents (depending on the severity you set, medium and high severity generate alerts).   If you are a Prevent customer, then you do not have EDR data collection as a feature and will be unable to detect this sort of behavior.   ... View more

Hi NathanBradley,   This is definitely a strange behavior, I'm honestly not sure why this query is failing.  I was able to get the following query to work successfully   dataset = xdr_data | filter event_type = ENUM.FILE | filter event_sub_type in (ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE) | filter agent_ip_addresses = “x.x.x.x” | filter action_file_path contains “Path” | filter action_file_name not contains “$” | filter action_file_extension != “tmp” | alter file_action = if(event_sub_type = 1, replace(to_string(event_sub_type), “1”, “CREATE”), if(event_sub_type = 6, replace(to_string(event_sub_type), “6”, “WRITE”), if(event_sub_type = 2, replace(to_string(event_sub_type), “2”, “OPEN”)))) | fields agent_hostname, agent_ip_addresses, actor_effective_username, action_file_name, action_file_path, action_file_extension, file_action ... View more

Hi NivedaR,   You can either use the console to upgrade via actions, or you can install a new agent of the version you want.  You will need to create a new installation package that can be used with the console or to distribute and run locally.  There is no option via the cytool utility to perform an upgrade. ... View more

Hi RFeyertag,   You can use XQL to create a BIOC for this   dataset = xdr_data | filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE) | filter action_file_path contains "\\AppData\\Local\\Temp\\" or action_file_path contains \"\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" | filter action_file_extension = "iso"   You can tweak this query to look for different extensions, change the file operation included (this query looks for file creation, or file write).  You should do some testing to determine if it will fire when a user extracts an iso from a zip but I believe it will. ... View more