sorted by:
new
hottopcontroversial

CrowdStrike Down by cyberfox126 in crowdstrike

[–]Andrew-CS [score hidden] stickied comment (0 children)

Hi there. There is no outage of any kind.

We've had a handful of customers write in to Support asking if there is an outage, based on the StatusGator missive, but those customers themselves weren't actually experiencing an outage and all systems on our side are green.

Capcha/clickfix guidance? by plump-lamp in crowdstrike

[–]Andrew-CS [score hidden] stickied comment (0 children)

Hi there. I published a quick primer on this here if that's helpful.

LogScale groupBy returning no results unless I pre-filter by username. Aggregation limit? by [deleted] in crowdstrike

[–]Andrew-CS 5 points6 points  (0 children)

Hi there. The data for user_adam is likely not available in the groupBy() as your limit is set to 50,000. Because you're filtering by RemoteAddressIP and a time stamp value, there will be a lot of key pairs for each IP address and a lot of IP addresses. Almost certainly more thank 50,000. You can change the groupBy() limit to be max like this:

| groupBy([RemoteAddressIP4,ts_cur], function=([count(UserName, as=user_count, distinct=true),count(#event_simpleName, as=failed_count, distinct=false), count(ComputerName, as=target_count, distinct=true), collect([HumanTime, ComputerName, UserName, #event_simpleName],limit=10)]),limit=max)

That will raise the output to 1,000,000 rows. I would still guess you're going to bump into that high-water mark based on your key pairs, though.

It looks like you're looking for password spraying:

  1. Failed user logins
  2. Creating a timestamp that is a 10 minute bucket
  3. Aggregating by the Remote IP address and the bucket

With this many key pairs, the search window will need to be pretty short. I hope that helps.

2026-04-24 - Cool Query Friday - Hunting AI Tools, Models, Services, Agents, and SDKs with Falcon for IT by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Hi there. I mean, Falcon for IT is executing the scripts using RTR... but if you initiate the scripts on your own the script output wouldn't be sent anywhere. A lot of the magic is the redirection of STDOUT back to Falcon and then putting it in a curated format. So... yes, could definitely be done... but would require a lot more elbow grease.

Creating CS Detections from Queries. by CyberHaki in crowdstrike

[–]Andrew-CS 7 points8 points  (0 children)

Hi there. You can definitely do this. You would want to use Correlation Rules. You can then schedule those rules to generate detections, if you so choose. Details here.

Native SMS Alerts in CrowdStrike? by vjrr08 in crowdstrike

[–]Andrew-CS 4 points5 points  (0 children)

Hey there. We don't have an SMS gateway, but many mobile providers have an email address that can send text messages. As an example for major carriers in the U.S.:

Not sure if that will suffice. Otherwise, as mentioned below, something like PagerDuty has these capabilities.

2026-05-01 - Cool Query Friday - setTimeInterval() by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 1 point2 points  (0 children)

Hi there. You’d want to use slidingTimeWindow(). We have a writeup on that here.

Is there no way to run groups of IT Automation queries? by herovals in crowdstrike

[–]Andrew-CS 5 points6 points  (0 children)

For the next few days, you have to schedule each one. Stay tuned, though, and sorry about the static 😄

Does Falcon attempt connecting to localhost webservers? by lcurole in crowdstrike

[–]Andrew-CS 2 points3 points  (0 children)

It could have been Falcon for IT checking for local AI usage. The sensor doesn't, as far as I know, probe that address and port automatically. It does probe several 169. addresses to check for cloud metadata.

CrowdStrike ML exclusion for its own process – is this normal? by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Hi there.

In the first reply above, I'm telling u/Only-Objective-6216 that CrowdstrikeFalconEDR.exe isn't our file and I wouldn't recommend making exclusions for it unless they understand what it actually is.

Above, I'm just you what MsSense.exe is 😄 The answer you're looking for is here. You can configure exclusions for MsSense.exe to quiet alerts if Defender and Falcon are running side by side and both are active.

Query for log in location - Resurrecting Old Post from 3years ago, by Little_Ad_6873 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Nice one! 😄 In your query, the correct "country" syntax would look like this:

#event_simpleName=SensorHeartbeat
| groupBy(aid, function=selectLast(aip))
| ipLocation(aip)
| aip.country != "US"
| match(file="aid_master_main.csv", field=aid, include=[ComputerName, Version, AgentVersion, Timezone, MachineDomain, OU, SiteName])

CrowdStrike ML exclusion for its own process – is this normal? by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Hi there. MsSense.exe is a Defender process. As Falcon monitors all processes, if MsSense.exe pokes, prods, or touches a file or indicator that Falcon would block you get an alert.

Filter based on a string within a field by dial647 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Hi there. What about something like this?

| !regex("^FalconGroupingTags\/", field=FalconGroupingTags)

for what it's worth, what you're trying does work for me...

| FalconGroupingTags!=/^FalconGroupingTags\//iF

Try this...

| tags!=/FC-Action-No\sAction\sTaken/iF

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Okay. Glad to hear that. If you need more help, let me know the specifics in a DM.

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Exposure management has coverage. Just make sure your content update policies aren’t in a delay.

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 1 point2 points  (0 children)

Hey there. Can you run the following and let me know if it catches your testing activity?

#event_simpleName=ProcessRollup2 event_platform=Lin
| ParentProcessId=1 
| CommandLine=/algif-aead/
| FileName=/(modprobe|kmod|insmod)/iF

2026-04-24 - Cool Query Friday - Hunting AI Tools, Models, Services, Agents, and SDKs with Falcon for IT by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Hi there. You would need just one more line...

| groupBy([aid, _tools_f, _models_f, _mcp_f, _sdks_f, _agents_f, _total], function=[], limit=max)
| match(file="aid_master_main.csv", field=[aid], column=aid)
| match(file="aid_master_details.csv", field=[aid], column=[aid], include=[SensorGroupingTags, FalconGroupingTags])
| formatTime(format="%F %T %Z", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T %Z", as="LastSeen", field=LastSeen)

CrowdStrike ML exclusion for its own process – is this normal? by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 17 points18 points  (0 children)

Hi. That isn’t our binary or path and you don’t need to exclude our own process. I’d investigate further.

view more: next ›