Mike S.
04/14/2023, 7:51 PMZay Hanlon
04/14/2023, 8:27 PMMike S.
04/14/2023, 8:35 PMZay Hanlon
04/14/2023, 8:41 PMKathy Satterlee
04/14/2023, 8:45 PMMike S.
04/14/2023, 8:47 PMKathy Satterlee
04/14/2023, 8:48 PMMike S.
04/14/2023, 8:48 PMKathy Satterlee
04/14/2023, 8:49 PM_windows
Mike S.
04/14/2023, 9:01 PMZay Hanlon
04/14/2023, 9:08 PMMike S.
04/14/2023, 9:10 PMLucas Rodriguez
04/14/2023, 9:43 PMWindows Fleet Agent is being blocked/flagged by Cloudflare as "Command injection - Common Attack Commands"?Hey, quick question: Is a cloudflare component running in the host blocking Orbit? Or is Cloudflare blocking network connections to/from the Windows agent?
Mike S.
04/14/2023, 9:44 PMJason
04/14/2023, 9:53 PMMike S.
04/14/2023, 10:15 PMdefensivedepth
04/15/2023, 3:53 PMKathy Satterlee
04/17/2023, 2:55 PMMike S.
04/17/2023, 4:06 PMKathy Satterlee
04/17/2023, 5:40 PMMike S.
04/17/2023, 5:54 PMKathy Satterlee
04/18/2023, 8:02 PMMike S.
04/18/2023, 8:15 PMLucas Rodriguez
04/18/2023, 9:15 PMdistributed/write
request, which means it flagged some part of the query results as command injection. I wonder what exactly caused the flagging, but I can see "machine learning" there so it's kind of a black box?...Ando
04/26/2023, 1:22 PM/api/v1/osquery/distributed/write
UA osquery/5.8.2
CF WAF rule Command Injection - Common Attack Commands
.
Very odd that from CF WAF logic Mac queries are safe while Windows is not. I'll be doing some researching, and probably also look for a way to specifically exclude the osquery user-agent/path from cloudflare WAF on cloudflare side.Jason
04/26/2023, 1:24 PMAndo
04/27/2023, 12:33 PMZay Hanlon
04/27/2023, 1:54 PMMike S.
04/27/2023, 3:29 PMAndo
05/05/2023, 1:22 PM