New API Keys within the Falcon Platform
This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.
EDRmonitoring
FDR intermediatepor ByteRay (cql-hub.com) 1 min read
Query
#event.dataset = falcon.cloud
| OperationName = CreateAPIClient
| user.id = *
| "Client Name" := rename(Attributes.name)
| "Client ID" := rename(Attributes.APIClientID)
| "Scope(s)" := rename("Attributes.scope(s)")
| table([timestamp,"Client Name","Client ID", "Scope(s)",OperationName,Success,Source,SourceIp,UserId])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.