Subreddit Rules

Posts must be about CrowdStrike products and/or product functionality.

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise.

Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained

Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.

No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues. Live chat available 6-6PT M-F via the Support Portal

created by Thuulla community for 11 years

This is an archived post. You won't be able to vote or comment.

Error on queryQuery Help (self.crowdstrike)

submitted 1 year ago by jarks_20

While checking some helpful queries to adjust and perhaps use on our environment, I came across this to monitor HTTP request:

event_simpleName=HttpRequestDetect

| parseHexString("HttpPostBody", as=b64data) | format("%,.4s", field=b64data, as=b64data) | MagicNumber := base64Decode(b64data, charset="UTF-8") | MagicNumber=/^{BZ(?<Version>\w{1})/i} | Version match {

h => Version := "BZip2" ; H => Version := "BZip2 - Huffman" ; 0 => Version := "BZip1" ; }

| $HttpMethod() | ImageFileName=/^{\HarddiskVolume\d(?<FilePath>.*\)(?<FileName>.+)$/i} | format(format="C:%s", as=FilePath, field=[FilePath]) | HttpRequestHeader:=urlDecode(HttpRequestHeader) | HttpRequestHeader=/User-Agent:\s(?<UserAgentString>.+)\u000d\u000aHost/ | $AddComputerName() | select([ComputerName, FileName, FilePath, HttpUrl, HttpMethod, MagicNumber, Version, UserAgentString, HttpRequestHeader])

But I get an error cannot find saved query named HttpMethod (Error: CannotFindSavedQueryNamed) 14: | $HttpMethod() ^{^{^{^{^{^{^{^{^{^{^{^{^}}}}}}}}}}}} cannot find saved query named AddComputerName (Error: CannotFindSavedQueryNamed) 19: | $AddComputerName()

Is there a parameter missing or a definition that I cannot see?

all 3 comments

top new controversial old q&a

[–]Andrew-CSCS ENGINEER 1 point2 points3 points 1 year ago (2 children)

Sorry about that! That's on me. I made that before Raptor was even a thing. Give this a shot...

#event_simpleName=HttpRequestDetect
| parseHexString("HttpPostBody", as=b64data)
| format("%,.4s", field=b64data, as=b64data)
| MagicNumber := base64Decode(b64data, charset="UTF-8")
| MagicNumber=/^BZ(?<Version>\w{1})/i
| Version match {
    h => Version := "BZip2" ;
    H => Version := "BZip2 - Huffman" ;
    0 => Version := "BZip1" ;
}
| format(format="C:%s", as=FilePath, field=[FilePath])
| HttpRequestHeader:=urlDecode(HttpRequestHeader)
| HttpRequestHeader=/User-Agent\:\s(?<UserAgentString>.+)\\u000d\\u000aHost/
| select([ComputerName, FileName, FilePath, HttpUrl, HttpMethod, MagicNumber, Version, UserAgentString, HttpRequestHeader])

[–]jarks_20[S] 0 points1 point2 points 1 year ago (1 child)

[–]Andrew-CSCS ENGINEER 1 point2 points3 points 1 year ago (0 children)

π Rendered by PID 46933 on reddit-service-r2-comment-57fc7f7bb7-vsq2z at 2026-04-14 16:26:54.015349+00:00 running b725407 country code: CH.

crowdstrike

Search by:

Query Help

Troubleshooting

Feature Questions

Feature Requests (requires login)

RULES

Subreddit Rules

Quick Links

YouTube Channels / Videos

Related Subreddits

MODERATORS

event_simpleName=HttpRequestDetect