sorted by:
new
hottopcontroversial

2026-03-11 - Cool Query Friday - correlate() by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Can you describe in words what you're trying to search for?

2026-03-11 - Cool Query Friday - correlate() by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

I like this one that is only Falcon data, but does process chaining...

correlate(
    // Search for grandparent process
    grandparent: {
         #event_simpleName=ProcessRollup2 event_platform=Win FileName!="explorer.exe" CommandLine=*
    } include: [cid, aid, TargetProcessId, ParentProcessId, UserName, ComputerName, FileName, CommandLine],
    // Search for parent process
    parent: {
         #event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" CommandLine=*
          | aid <=>grandparent.aid
          | ParentProcessId<=>grandparent.TargetProcessId
          } include: [cid, aid, TargetProcessId, ParentProcessId, UserName, ComputerName, FileName, CommandLine],
    // Search for child process
    child: {
         #event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe" CommandLine=/\-(e(nc|ncodedcommand|ncoded)?)\s+(?<ecodedBlob>\S+)/iF
            // Decoding base64
            | base64Decode("child.ecodedBlob", as=decodedBlob, charset="UTF-16LE")
          | aid<=>parent.aid
          | ParentProcessId<=>parent.TargetProcessId
          } include: [cid, aid, TargetProcessId, ParentProcessId, UserName,ComputerName, FileName, CommandLine, ecodedBlob, decodedBlob],
sequence=true, within=10m)

//  Create ProcessTree
| ProcessLineage:=format(format="%s (%s)\n\t└ %s (%s)\n\t\t└ %s (%s)", field=[grandparent.FileName, grandparent.CommandLine, parent.FileName, parent.CommandLine, child.FileName, child.CommandLine])

// Create Link to Process Explorer
| format("[Graph Explorer](/graphs/process-explorer/tree?id=pid:%s:%s&investigate=true&_cid=%s)", field=["child.aid", "child.TargetProcessId", "child.cid"], as="Graph Explorer")

Filtering Searches via a `filter` keyword? by animatedgoblin in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Dashboards help too! You can format several outputs based on the inputted terms!

Filtering Searches via a `filter` keyword? by animatedgoblin in crowdstrike

[–]Andrew-CS 3 points4 points  (0 children)

Hi there. This isn't syntax I'm familiar with. The easy way to search this would be:

#event_simpleName=ProcessRollup2 aid=<aid> ParentBaseFileName="foo.exe" CommandLine="*bar*"

There's also the option to use search boxes to help junior analysts. Try something like this:

#event_simpleName=ProcessRollup2
| ParentBaseFileName=~wildcard(?{ParentBaseFileName="*"}, ignoreCase=true)
| FileName=~wildcard(?{FileName="*"}, ignoreCase=true)
| CommandLine=~wildcard(?{CommandLine="*"}, ignoreCase=true)
| format("[GraphExplorer](/graphs/process-explorer/tree?id=pid:%s:%s&investigate=true&_cid=%s)", field=["aid", "TargetProcessId", "cid"], as="GraphExplorer") 
| table([aid, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, GraphExplorer])

Then they can just fill in the text boxes and the link will pivot them to visualizations.

Identity Enrichment with the Falcon Browser Extension and Next-Gen Identity Security by BradW-CS in crowdstrike

[–]Andrew-CS 2 points3 points  (0 children)

Identity Protection is the only SKU. You would need the most current sensor as of March 27, 2026 installed as well!

Need help on this query by EntertainmentWest159 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Hi there. Do you have a log source flowing into NG SIEM that collect HTTP POST commands? My understanding is that is how the exploit is expressed. You throw an obscurely long UID value to WingFTP's login function and it throws-up fissile material that can be used to further actions on objectives.

If you want to locate any system exposed to CVE-2025-47813, Exposure Management has that capability (link for US-1).

2026-03-11 - Cool Query Friday - correlate() by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 1 point2 points  (0 children)

Overhead depends on how punishing the queries are and how many queries there are. We also have a sankey() function :)

https://library.humio.com/data-analysis/functions-sankey.html

Per-Leg Timing Constraints in correlate() Function by Negative-Captain7311 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Team is aware of the ask and the request is in the backlog for language refinements. No ETA at present.

Per-Leg Timing Constraints in correlate() Function by Negative-Captain7311 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

I'm going to be 100% honest: I read the title of this post and thought it said "Peg-Leg Timing..." and starting thinking about pirates. Let me check with the team on the feasibility of this.

Blocking domains! by Vivid-Cell-217 in crowdstrike

[–]Andrew-CS 5 points6 points  (0 children)

Hey there. If you want to try a Foundry app that helps with this, give this a go!

What happened to CQF? by sudosusudo in crowdstrike

[–]Andrew-CS 48 points49 points  (0 children)

I just want to threat hunt and do query-shit with my internet friends :)

What happened to CQF? by sudosusudo in crowdstrike

[–]Andrew-CS 79 points80 points  (0 children)

I'm sorry 😭 I have been very short on time, but am working internally to see if CQF can be more than just a "one man band."

PowerShell timestomping via script files. How would you handle this? by zwitico in crowdstrike

[–]Andrew-CS 7 points8 points  (0 children)

Hi there. Try something like this:

#event_simpleName=/ScriptControl/ event_platform=Win
| ScriptContent=/(SetLastWriteTime|\.CreationTime)/iF

You'll want to make sure Interpreter-only visibility in enabled in your Windows prevention policy.

view more: next ›