Because the son of a retired automotive mechanic, today the lessons my dad taught me remain just as important. As I mentioned in my own previous post about Orbital Advanced Search, “Pops” was teaching me something always. This time it had been to clean the various tools after each job always, maintain the tools that require oil, etc., also to keep your tools organized neatly in the toolbox always. The various tools were allowed by these efforts to go longer, made them simpler to identify and discover in the drawer, and result in increased efficiency ultimately. Not merely did he are more productive, but these simple acts worked as a mental inventory for the various tools he owned also. He always knew what tools he previously and what drawer these were in.

The same is today with&nbsp true;IT Operation tools. IT Operators are in charge of defining the true way a business manages software and hardware, and to help keeping the business enterprise running. They offer other IT supports such as network administration, device management, and help desk. Ultimately, they’re charged with improving and advancing business requirements while maintaining the operational stability of the business.

IT Operations teams back&nbsp are increasingly being held;by the insufficient usage of the devices in their care. Something as simple as confirming and on-boarding the configuration of a fresh employee’s device is difficult minus the ability to inspect the device physically. They are challenged in the execution of these job regarding seeing and controlling what’s happening with devices in near real-time. Lastly, they’re faced with the full total outcomes of their efforts and attempting to save time on recurring activities that allows their team to become more proactive.

As an attribute in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search could possibly be the organizational tool for the IT Operations. Orbital Advanced Search comes with an entire category dedicated to Posture Assessments which contains queries to check on CPU data, network host connections, operating-system information, installed programs, and much more.

Whether you’re hardening your environment through network & hardware hygiene audits or ensuring a fresh employee’s devices are configured and never have to physically inspect the endpoint properly, Orbital Advanced Search shall allow you to get the answers you will need to perform these tasks faster.

Let’s focus on one IT Operations Catalog query you could run daily.

YOU INTEND TO: Determine if you can find any Chrome Browser Extensions which are running you can use to execute malicious activity

Orbital Catalog Query to perform: Chrome Browser Extensions Monitoring –This query returns data on the chrome extensions installed on the host for a specific user. The next data is retrieved:

• username – the neighborhood user that owns the extension
• name – display name
• identifier
• version
• description
• locale
• update_url – extension-supplied update URI
• persistent – 1 If extension is persistent across all tabs else 0
• path – way to extension folder

HOW COME THIS IMPORTANT: These details can be used so that they can detect an extension performing malicious activity because it is really a common practice for malware to disguise itself as the best and well-known browser extension.

STEPS:

1. Select the endpoints you intend to query
2. Search the Catalog for “Chrome Browser Extensions Monitoring”
3. Click the “+” to copy into your SQL query window
4. Close the Query Catalog Window
5. Click the Query button

QUERY RESULT: The query results deliver a table of data to be reviewed. First, go through the true name of the extension that’s running, be sure that this is a known name. Next, the identifier value may be used to obtain details from the Google Chrome webstore, for just about any extension within your query results. For example, if the identifier field is ghbmnnjooekpmoecnnnilnnbdlolhkhi, then details from the webstore is seen at:

https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi

To research other extensions, just add the extension identifier to the bottom url [replacing the identifier string with one returned in query results]:

https://chrome.google.com/webstore/detail/$identifer

Most the update URL will indicate the Google Chrome store often. Search for any anomalous URLs that not point to a reliable location [such because the Google Chrome store]. In the Update-URL column, it is possible to take direct actions on the URLs, utilizing the pivot menu, which facilitates searching Talos intelligence, investigating over the SecureX platform, tracing artifacts in Threat Response, or taking action – such as for example host isolation.

FREQUENCY TO PERFORM: Daily.

That’s it! It’s an easy task to get you started together with your first IT Operations query using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has a large number of pre-built posture assessment queries to streamline your IT Operations.

In the event that you don’t curently have Cisco AMP for Endpoints and so are thinking about trying Orbital Advanced Search, join our virtual Threat Hunting Workshop, or request a free trial.

Keep tuned in, our next blog discusses Vulnerability & Compliance and ways to use Orbital Advanced Search to check on firewall configurations and authorized applications and make sure your endpoints are running probably the most updated version of anti-virus.

Read all my blogs on Orbital Advanced Search

The post Getting more value from your own endpoint security tool #4: Querying Strategies for IT Operations appeared first on Cisco Blogs.