Volver al hub

Identify Shadow SaaS

This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.

EDRmonitoringT1526
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#event_simpleName=DnsRequest DomainName=*
| match(file="shadow-saas.csv", field=[DomainName], column=[Domains], strict=true,mode=glob)
| Category=?Category
| Vendor=?Vendor
| Application=?Application
| groupBy(ComputerName, Vendor, Application, Category)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.