Hi, would anyone know what will be the best method to search for certain kind of files across large amount of computers (say like 10K)?Â
Hi - a lot of variables here.
Does the large amount of computers have an agent already running and feeding into a central place?
Have you taken a look at or POC'd any tools such as, https://github.com/google/grr
Are you seeking a tool to FIM and the pull a forensic file from all machines at once. i.e push, pull, delete, also remote wipe?
Â
@mister4n6 thank you so much for your response! Nope.. there isn’t any agent install yet. The idea is to search for certain file names and types in the users computers. Just to identify which users have that kind of files.
Ideally is get maybe only the metadata from all the users computers and ingest it in a central location so the search can  be done. I hoping to see if anyone know of such tool?Â
How to identify the file? Because of its name, hash or strings inside?
And you are talking about Windows, yes? Which versions?
Â
regards, Robin
Hi - @data_connected
Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.
Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:
"Which Win10x64 hosts across the (say about :P) 10k fleet has a spam.zip in their \Downloads dir?"
"Which host across the 10k fleet is running gdm3Â on Ubuntu 20.10?"
This reminds me when I got speaking to someone from Tanium and they explained a bunch of things along the lines of this.
Since the 4th, have you solved this problem or come up with ideas you would be open to sharing here?
Â
Â
Â
For that many computers I would hope there is an IT department that manages that population of endpoints. If so, I would check with them to see what capabilities they might have.
I once did that with a few lines of PowerShell, deployed via GPO. It depends on how you want to search and the environmental and task-specific requirements, obviously.
Hi, I may be somewhat biased as I have been helping to develop such a tool for several years 😀Â
Have a look at ISEEK on xtremeforensics.com
It doesn't need installation and will generate a report of the results in a csv if that is all you want.
Regards, Richard
Hi - @data_connected
Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.
Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:
Â
No, no and no. A SIEM is not a digital shithole! A SIEM stores and correlates Security Incidents and Events, not all file names or metadata from workstations within the company. Exactly this is one of the many reasons why so many SOC and their SIEM in use are failing.
The question was related to an enterprise wide search of "certain kind of files" and the possible answers could potentially be an asset management/ inventory system or as C.R.S said, a simple script in Powershell.
EDR and SIEM are technologies and solutions for completley different scenarios and use cases.
regards, Robin
Â