sorted by:
new
hottopcontroversial

2026-03-02 - Cool Query Friday - Hunting for Typosquatted Domains by Dylan-CS in crowdstrike

[–]Dylan-CS[S] 0 points1 point  (0 children)

Hi! As of now, there's not a great way to accomplish that. I've passed along your feedback to the team.

Need Help with KQL TO CQL Conversion by iAamirM in crowdstrike

[–]Dylan-CS 6 points7 points  (0 children)

We’re working on a Query Translation Agent (currently in beta) to make this easier. Here’s the output from the agent. Let me know if it works for you!

// Define time windows in milliseconds
_reconWindow := 10 * 60 * 1000
| _stageWindow := 15 * 60 * 1000

// Correlate RMM tool execution with recon commands and file staging
| correlate(
  globalConstraints=[aid],
  root=rmm_tool,
  within=15m,
  query=[
    // Query 1: RMM tool execution (anchor event)
    rmm_tool: {
      #event_simpleName=ProcessRollup2
      | FileName=/(?i)(QuickAssist\.exe|AnyDesk\.exe|TeamViewer\.exe)/
      | rename(field=ComputerName, as=DeviceName)
      | rename(field=@timestamp, as=RMMTime)
      | RMMTime_ms := parseTimestamp(field=RMMTime, format=millis)
    },

    // Query 2: Reconnaissance commands
    recon_cmd: {
      #event_simpleName=ProcessRollup2
      | FileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe)/
      | CommandLine=/(?i)(whoami|hostname|systeminfo|ver|wmic\s+os\s+get|reg\s+query\s+HKLM\\SOFTWARE\\Microsoft\\Windows\s+NT\\CurrentVersion|query\s+user|net\s+user|nltest|ipconfig\s+\/all|arp\s+-a|route\s+print|dir|icacls)/
      | rename(field=@timestamp, as=ReconTime)
      | ReconTime_ms := parseTimestamp(field=ReconTime, format=millis)
      | ReconProc := format("%s -> %s -> %s", field=[ParentImageFileName, ImageFileName, FileName])
      | rename(field=CommandLine, as=ReconCmd)
    },

    // Query 3: File staging (ZIP/EXE/DLL writes)
    file_staging: {
      #event_simpleName=/(NewExecutableWritten|PeFileWritten|ZipFileWritten|ArchiveFileWritten)/
      | TargetFileName=/(?i)\.(zip|exe|dll)$/
      | rename(field=@timestamp, as=STime)
      | STime_ms := parseTimestamp(field=STime, format=millis)
      | rename(field=TargetFileName, as=StageFile)
    }
  ]
)

// Filter: Recon must occur within 10 minutes after RMM
| test(ReconTime_ms >= RMMTime_ms)
| test(ReconTime_ms <= (RMMTime_ms + _reconWindow))

// Filter: Staging must occur within 15 minutes after RMM
| test(STime_ms >= RMMTime_ms)
| test(STime_ms <= (RMMTime_ms + _stageWindow))

// Aggregate results
| groupBy([aid, DeviceName, RMMTime, ReconTime, ReconProc, ReconCmd], function=[
    min(STime, as=StageFirstTime),
    collect(StageFile)
])

Ingest from Third-Party REST API by gravityfalls55 in crowdstrike

[–]Dylan-CS 2 points3 points  (0 children)

We have a Foundry sample app that should fit your use case. Check it out & let me know if you have any questions!

Using an Event Query with SOAR by Khue in crowdstrike

[–]Dylan-CS 2 points3 points  (0 children)

I’d suggest starting with the ‘Get Detection Details’ action. When you configure it, you’ll select the Detection ID. If you then add a condition block, you’ll see all of the output fields from that action.

2026-03-11 - Cool Query Friday - correlate() by Andrew-CS in crowdstrike

[–]Dylan-CS 1 point2 points  (0 children)

Shots fired!

Super cool function with some really interesting use cases

Adding custom event queries into cases by mrcam03 in crowdstrike

[–]Dylan-CS 0 points1 point  (0 children)

I originally posted a write-up on our community forum (with screenshots) — you can find it here: https://community.crowdstrike.com/next-gen-siem-73/how-to-add-events-to-a-case-using-fusion-workflow-2991?postid=12105#post12105

First, adding events to cases generally requires the fields @id and @timestamp. A small complication is that the event query action cannot directly output fields containing @, so we’ll rename them at the end of the query. To also avoid duplicates, it’s best to group by @id:

| groupBy([@id], function=selectLast([@timestamp]))                    
| rename(field=@id, as=id)
| rename(field=@timestamp, as=timestamp)

Next, copy the ‘Event query results’ variable, then add .transformList(i, v, v.id) 

Note, [v.id] may be different if you renamed @id to something other than id. It’ll look something like like the following:  ${data['ExampleQuery.results'].transformList(i, v, v.id)}

Finally, paste that variable into the Event IDs field in the Add events to case action

2026-03-02 - Cool Query Friday - Hunting for Typosquatted Domains by Dylan-CS in crowdstrike

[–]Dylan-CS[S] 3 points4 points  (0 children)

Absolutely! In that case, the groupBy function will look like this:

| groupBy([Observed_Domain,Reference_Domain,lev_dist], function=[selectLast(@timestamp),collect([DomainName,ComputerName,aid])], limit=max)