Check Domain Controller for NSX Driver
This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality.
EDRmonitoring
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
event_platform=/Win/i #event_simpleName=/DriverLoad/i
| in(field=FileName,values=["vnetwfp.sys", "vnetflt.sys"],ignoreCase=true)
| join({$falcon/investigate:aid_master()}, field=aid, key=aid, include=[ProductType])
| ProductType=2
| "Domain Controller":=ComputerName
| LocalIP:=LocalAddressIP4
| Drivers:=FileName
| groupBy([aid,"Domain Controller",LocalIP,Drivers],function=[])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.