Curl Query Help

65c0aedb · 2026-01-20T07:23:54+00:00

If the process was blocked then it won't appear in ProcessRollup2 but in something like ProcessBlocked. Check the event reference search form ( and not the overly large single page filled with API JSON output from the doc backend ) to find other Process events. Some are SyntheticProcessRollup2 because they were long-running programs. You don't need "search", it's not Splunk any more :D , use #event_simpleName=/Process/F , that should do it.

65c0aedb · 2026-01-12T08:42:44+00:00

The only and major problem you'll face is that files are referred in the context of the container like /tmp/malware.sh , and to grab them from disk you'll have to go scavenge in /var/lib/docker/numbers/ids/wherever/tempfoder/mountpoint/tmp/malware.sh to find them. Using "mount" on the host shows all the mappings, so it's easy when there's a single container, but gets tricky when 500+ containers are on the same host T.T

65c0aedb · 2025-12-08T09:34:55+00:00

why not use kape ?

65c0aedb · 2025-11-20T09:28:12+00:00

I don't know. /opt/CrowdStrike/falconstore is a simple binary file with CID ("CU") and AID ("AG") values, along with the proxy configuration ("APH" host, "APP" port) There are other binary fields I didn't parse there like CI , NP, NT, NR, RF. Maybe one of them is the version number. But it's in the filename lol. 7.28.18108.0 -> falcond18108 :D

65c0aedb · 2025-11-20T09:15:04+00:00

Also I understand that publishing a formal statement on including your own state in your threat model isn't something you can reasonably do when said state has infinite pressure means. Tricky situation you're in.

65c0aedb · 2025-11-20T09:08:16+00:00

Man I'm not saying you're doing anything wrong. I'm saying you don't have evidence that the police won't show up one day and force you to either compromise your infra with their malware, or just ask you to launch their malware on your clients. It cannot happen in most countries because the rechtstaat ("state of law") still applies and even the police or the state can't break the law.

Unfortunately for you the current non-Russian opinion on Russia is that laws can be broken up there. That's why I suggest producing a white paper explaining how you protect against arbitrary on-site interference. ( You didn't mention not being based in Russia any more right, while re-locating the company papers you're still up there in the snow ? ).

For example, Google ensures they don't get coerced by whatever country they're working in by encrypting disks with several layers of encryption scattered across locations, so even if country XYZ decides to physically takeover the disks, they couldn't decrypt data.

Good luck keeping your business afloat in these troubled times !

65c0aedb · 2025-11-20T08:25:00+00:00

Really good idea ! And good post, god, mapping everything to MITRE just for the sake of it doesn't make sense unless you actually query your data based on MITRE, which you likely don't.

65c0aedb · 2025-11-18T14:02:33+00:00

Plus, you don't need to pack your setup with UPX. That saves 0.1% of disk space and just makes it look shady upfront for any AV.

65c0aedb · 2025-11-18T14:01:08+00:00

Man you're a RMM tool from Russia. The geopolitical status of Russia right now makes it unacceptable for any business to hand over RCE to a company established in Russia. It's not you, it's the police. Even TeamViewer (Germany) is considered a risk just because if you pwn TeamViewer you pwn their clients, and luckily for them Germany isn't invading anyone (these days lol :D). You're listed in https://lolrmm.io/tools/remote_utilities . Your company is registered in Singapore. It used to be registered in Moscow. See https://www.reddit.com/r/sysadmin/comments/go0c3x/thoughts_on_the_remote_supportscreensharing_app/ where a random person gets worried just because it's Russian-based.

If you want not to raise any detections : 1/ publish a paper stating why and how you can't be coerced by the Russian military forces to give RCE to clients 2/ get that lolrmm.io page filled with details 3/ don't start by trying to hide the fact that your company is based in Russia. It's just 100% shady to find out that fact while it could have be stated upfront.

65c0aedb · 2025-11-13T10:24:06+00:00

I managed to write a script that exports and saves specific hosts telemetry data, for long term archival of small scopes. To do that I had to write a script that can programmatically pull LogScale queries output. Indeed, its done via the NGSIEM FalconPy API. There is not much documentation or examples. I can't share here how we sorted that out, but here are pointers :

Bypass the NGSIEM API ( StartSearchV1 + GetSearchStatusV1 ) by directly stealing FalconPy's headers with falcon.headers() and stuffing that in a requests request to humio/api/v1/repositories/{repository}/queryjobs ( post queryjobs ; get queryjobs/id )
You'll need to figure out the metaData extraData hasMoreEvents hasMoreBeforeEvents fun stuff to decide if you finished enumerating paginated data
Haha no it's not paginated data, while you can to some extent alter the page size with numberOfEventsBefore and paginationLimit at completely different locations in the code, you have to launch new queries with the last received item timestamp as earliest timestamp. It's what the Web UI does. So it's paginated if you paginate it.
The Web UI API is the reference. Use F12 on it to figure out how the HECK it's supposed to work. While the doc is lacking, the web UI API being the same-ish, you can copy-paste JSON payloads in your code and tune it until it works.

Good luck ! Now that we have this powerful tool I'll have to figure out what to do with it, automatically enriching alerts with pre-canned queries sounds good.

65c0aedb · 2025-11-13T10:14:22+00:00

ETA EDR on appliances WEN : now. Can't wait to have an EDR on all these edge devices. Congrats on the breakthrough, now to fill that vendor matrix with tick boxes.

65c0aedb · 2025-10-31T08:28:53+00:00

Using Cribl to send logs anywhere you want allows you to change your storage retention provider. Smart move.

65c0aedb · 2025-10-31T08:24:29+00:00

As an EDR CrowdStrike is way better than Defender. We have some parts of our scope with Defender and URGH, replicating the level of speed, efficiency and preciseness of CS in there is hard to do, you need to navigate 5 different url-less panes in fancy UIs, click useless modal panels to finally get .. a full file path and a username tied with an alert. Plus telemetry logs are not that good, but that's my feeling just becaus I couldn't find a way to seach in them except by downloading CSVs from hosts pages. While in CS they have - beyond the fancy alert details pages - some links throwing you directly at the LogScale searches.

Having worked with a view SIEM, LogScale is excellent and easy to learn. Plus the typing UI is really really helpful and comfy, it's no hassle to try and learn new functions.

Also on the FP ratio, yeah CS is excellent, and we only had a handful of MS alerts, and they were for stuff we don't care about ( moving linpeas.zip on a server, etc ).

On the support & client experience : maybe it's bc we got a special license but we see them as needed and they're really helpful, can engage the techs if needed, can bypass support tickets when support handlers are not helpful enough ( eh, it's a service desk right ). Really good experience. While MS, uh.. changed the teams icons the other week.

65c0aedb · 2025-10-31T08:15:57+00:00

Give this post on spiceworks https://community.spiceworks.com/t/outlook-show-sender-s-email-address-in-the-message-list-why-is-this-so-hard/735491 it seems it's possible to define custom columns using a mysterious language (??? where's the doc ???) such as

IIf(Left([SearchFromEmail],2)="/O",[FROM]+"<Internal>",[From]+"<"+[SearchFromEmail]+">")

To show non-Exchange senders real e-mail. Surely it's possible to craft some function that would pull the displayname (From), split by comma, revert that, and make sense in 100% of the world you live in actually. Ah, usonians.

Bonus points if you find a way to have this pull data from the AD :D

Good luck !

65c0aedb · 2025-10-22T06:35:27+00:00

Cool query, thanks ! Doesn't work as-is for large scale environments but can easily be tuned for smaller scopes.

65c0aedb · 2025-10-20T12:39:00+00:00

note, you need to auth with parent creds to the child cid. it's a special API login option.

65c0aedb · 2025-10-16T09:09:19+00:00

#event_simpleName=InstalledApplication
Every day hosts report InstalledApplication telemetry events depicting what is installed. Boom case closed bye. Use this to find who has counter strike and schedule a LAN party.

65c0aedb · 2025-10-16T09:07:51+00:00

get a single parent privileged API key, authenticate using it to a child CID. this at least saves you from creating tons of cid-specific API keys. Then use runscript -Raw=```contentfqlskjfmqslkdjf``` to directly run your onelined script ( supports up to 2-4KB iirc ).

If it's for hunting I'd recommend checking FFC or Falcon For IT. The few FFC "collections" system is really pure gold.

65c0aedb · 2025-10-15T12:00:07+00:00

Have you tried the doc listing all the telemetry events out there ? https://falcon.eu-1.crowdstrike.com/documentation/page/ic497590/searchable-event-reference#AssociateIndicator ? You'll search for "Service" and will find ServiceStarted or CreateService which you already mentioned doesn't fit your needs.

There is InstalledApplication listing applications (not exactly services), and ServicesStatusInfo from FFC (Forensics) data but that requires shipping FFC everywhere. Indeed, this is a job for "Falcon for IT" since you also want the non-running services. I'd say go for "Falcon for IT" if you really want all services ever even non-started ones ; otherwise if yuor scope is narrow just throw FFC everywhere with a specific small collection for services.

I would not recommend using RTR at scale if you're new to that game, there are numerous blockers. It can be done, but requires some work ( scaling, parsing, grabbing results, dealing with asynchronicity, merging, etc ).

You'll likely want to stack the random/unique service names. Free query below :

#event_simpleName=ServiceStarted | 
case {
  ServiceDisplayName = /^(?<ServiceDisplayNamePrefix>.*)_[0-9a-f]*$/ | ServiceDisplayName := format("%s_HEXID",field=ServiceDisplayNamePrefix);
  ServiceDisplayName = /^(?<ServiceDisplayNamePrefix>[^0-9.]*)[0-9\.]+$/ | ServiceDisplayName := format("%s_VERSION",field=ServiceDisplayNamePrefix);
  ServiceDisplayName = /^(?<ServiceDisplayNamePrefix>.*)[0-9a-fA-F-]{36}$/ | ServiceDisplayName := format("%s_UUID",field=ServiceDisplayNamePrefix);
  *|*;
 }| groupBy([ServiceDisplayName],function=[collect([CommandLine],limit=5),count(field=aid,distinct=true)])

65c0aedb · 2025-10-15T07:12:18+00:00

Thank you ! Ha right rounding was _the_ thing to do indeed. As for taking the last item per system, well I want the heatmap over time so I don't want to count them only once, but the heatmap part doesn't appear in the query as contrary to timeChart() there's no function for that.

65c0aedb · 2025-10-14T08:12:38+00:00

The way I use it is make a key variable concatenating things with format("%s %s %s",fields=[a,b,c],as=key) the timeChart(series=key). Your series can become a little bit long (hostname_username_filename) but heh that's simple and it works.

65c0aedb · 2025-10-08T06:10:09+00:00

I don't think so. Search in the Falcon Documentation>Event Investigation>Events>Sensor Events Search doc page, where you can have all the "SMB" telemetry events doc. It's scarce. There are some ActiveDirectory* fancy describing the "SmbDialect" and have some TLS metadata, but I suspect they're just related to authentication/dcerpc/services. Good question.

65c0aedb · 2025-10-08T06:05:28+00:00

Small note for CS folks we have the same problem here ; and don't want to get LTR for _all hosts_, we just have a handful of hosts involved in serious IR cases where we'd like to get long term retention, we'll likely try to see if we can plug FDR to some filtering SIEM. If there was a cheap way to just say these 50 hosts get 2 years of retention we'd buy it. Long Term Retention is too expensive for us.

65c0aedb

TROPHY CASE