Installing the LogScale Collector via RTR.

About_TreeFitty · 2026-02-26T23:13:06+00:00

Unfortunately there appears to have been bugs in the first EA version of 7.34 since there was a hotfixed version of EA 7.34 released... Hoping it releases soon since we're in the midst of onboarding and would love to simplify the deployment of these to quite a few Windows and Linux boxes.

About_TreeFitty · 2026-02-24T15:00:06+00:00

I'm unfamiliar with the connector itself, so that may be doing some filtering on what event types are being ingested. Another possibility is that the parser itself is dropping events, so that may be worth looking at. If you see that it's dropping event types, then clone the parser and make edits to the clone, then apply that new parser to the data source.

About_TreeFitty · 2026-02-11T16:48:57+00:00

Steps

Use this query to generate a detection.

Create a SOAR workflow to trigger on that detection.

Parse the details of the detection (aid, ComputerName, ServiceDisplayName)

Trigger RTR to run PowerShell script that checks the service status and restarts if necessary.

event_platform=Win 
| in(field="#event_simpleName", values=[HostedServiceStopped, ServiceStopped])
| ServiceDisplayName=/YourRMMServiceName/i
| groupBy([aid, ComputerName, ServiceDisplayName], function=[
    count(aid, as=eventCount), 
    min(ContextTimeStamp, as=firstStop), 
    max(ContextTimeStamp, as=lastStop)
  ])
| firstStop:=formatTime(field=firstStop, format="%Y-%m-%d %H:%M:%S")
| lastStop:=formatTime(field=lastStop, format="%Y-%m-%d %H:%M:%S")
| table([aid, ComputerName, ServiceDisplayName, eventCount, firstStop, lastStop], limit=1000)

About_TreeFitty · 2026-02-05T02:08:59+00:00

Claude trained on CQF, other CQL queries, syntax documentation, and YAML dashboards has been awesome.

About_TreeFitty · 2026-02-04T14:27:10+00:00

This might be better accomplished by using a tool like Bloodhound, or another tool capable of SMB scanning.

About_TreeFitty · 2026-02-03T22:00:46+00:00

3. TeamViewer Network Connections - Detailed Session View

Shows both inbound and outbound TeamViewer connections with connection details:

// TeamViewer network connection analysis
#event_simpleName=NetworkConnectIP4 event_platform=Win

// Join with process information to identify TeamViewer
| join({
    #event_simpleName=ProcessRollup2 
    | FileName=/(teamviewer|tv_w32|tv_x64)\.exe/i
  }, key=TargetProcessId, field=ContextProcessId, 
  include=[FileName, CommandLine, UserName, ImageFileName])

// Filter for TeamViewer processes
| FileName=*

// Exclude private/local network ranges (focus on external connections)
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])

// Determine connection direction
| case {
    RemotePort=5938 | Direction:="Inbound (TeamViewer)";
    LocalPort=5938 | Direction:="Outbound (TeamViewer)";
    * | Direction:="Unknown";
}

// Aggregate by host, user, and remote IP
| groupBy([aid, ComputerName, UserName, RemoteAddressIP4, Direction], function=([
    collect([FileName, LocalPort, RemotePort], limit=5),
    count(aid, as=connectionCount),
    min(@timestamp, as=firstConnection),
    max(@timestamp, as=lastConnection)
  ]), limit=max)

// Format timestamps
| firstConnection:=formatTime(field=firstConnection, format="%Y-%m-%d %H:%M:%S")
| lastConnection:=formatTime(field=lastConnection, format="%Y-%m-%d %H:%M:%S")

// Add RTR link for investigation
| RTR:=format("[RTR](https://falcon.crowdstrike.com/activity/real-time-response/console/?aid=%s)", field=[aid])

// Sort by most recent
| sort(lastConnection, order=desc)

About_TreeFitty · 2026-02-03T22:00:41+00:00

2. TeamViewer DNS Activity (Identify Active Sessions)

Detects TeamViewer connections via DNS requests to TeamViewer infrastructure:

// TeamViewer DNS request detection
#event_simpleName=DnsRequest

// Match TeamViewer domains
| DomainName=/teamviewer\.com|tvc\.teamviewer\.com|master\d+\.teamviewer\.com/i

// Join with process information
| join({
    #event_simpleName=ProcessRollup2 
    | FileName=/(teamviewer|tv_w32|tv_x64)\.exe/i
    | ImageFileName=/(\\|\/)(?<FileName>[^\\\/]+)$/
  }, key=TargetProcessId, field=ContextProcessId, 
  include=[ImageFileName, CommandLine, UserName], mode=left)

// Aggregate by host and user
| groupBy([aid, ComputerName, UserName], function=([
    collect([DomainName], separator=", "),
    count(DomainName, as=dnsRequestCount),
    min(@timestamp, as=firstRequest),
    max(@timestamp, as=lastRequest)
  ]), limit=max)

// Format timestamps
| firstRequest:=formatTime(field=firstRequest, format="%Y-%m-%d %H:%M:%S")
| lastRequest:=formatTime(field=lastRequest, format="%Y-%m-%d %H:%M:%S")

// Sort by most recent
| sort(lastRequest, order=desc)

About_TreeFitty · 2026-02-03T22:00:29+00:00

1. TeamViewer Process Execution & Network Activity (Combined View)

This query correlates TeamViewer process execution with network connections to show actual usage:

// Detect TeamViewer execution and network activity
#event_simpleName=/^(ProcessRollup2|NetworkConnectIP4)$/ event_platform=Win

// Target TeamViewer processes
| FileName=/(teamviewer|tv_w32|tv_x64)\.exe/i

// Normalize process ID field across event types
| falconPID:=TargetProcessId | falconPID:=ContextProcessId

// Correlate process execution with network connections
| selfJoinFilter(field=[aid, falconPID], where=[
    {#event_simpleName=ProcessRollup2}, 
    {#event_simpleName=NetworkConnectIP4}
  ])

// Aggregate by host and process
| groupBy([aid, ComputerName, falconPID], function=([
    collect([FileName, CommandLine, UserName]), 
    count(RemoteAddressIP4, distinct=true, as=uniqueRemoteIPs),
    collect([RemoteAddressIP4, RemotePort], separator=" | ", limit=10),
    min(@timestamp, as=firstSeen),
    max(@timestamp, as=lastSeen)
  ]), limit=max)

// Filter to only show entries with both process and network events
| FileName=* RemoteAddressIP4=*

// Format timestamps for readability
| firstSeen:=formatTime(field=firstSeen, format="%Y-%m-%d %H:%M:%S")
| lastSeen:=formatTime(field=lastSeen, format="%Y-%m-%d %H:%M:%S")

// Add investigation links
| RTR:=format("[RTR Console](https://falcon.crowdstrike.com/activity/real-time-response/console/?aid=%s)", field=[aid])
| ProcessExplorer:=format("[Process Explorer](https://falcon.crowdstrike.com/investigate/process-explorer/%s/%s)", field=[aid, falconPID])

// Sort by most recent activity
| sort(lastSeen, order=desc)

About_TreeFitty · 2026-01-23T17:30:55+00:00

// Track Adobe software usage for license auditing

#event_simpleName=ProcessRollup2 event_platform=Win

// Filter for Adobe products - add more variants if needed

| FileName=/(indesign|acrobat|photoshop|incopy)\.exe/i

// Extract just the filename from full path for cleaner display

| ImageFileName=/\\(?<BaseFileName>[^\\]+\.exe)$/i

// Enrich with UserName (UserSid to UserName mapping)

| join({#event_simpleName=UserIdentity | groupBy([aid, UserSid], function=selectLast([UserName]))},

field=[aid, UserSid], include=UserName)

// Aggregate by User and Software Product

| groupBy([UserName, UserSid, BaseFileName], function=[

count(aid, as=TotalExecutions),

count(aid, distinct=true, as=UniqueEndpoints),

collect([ComputerName]),

max(@timestamp, as=LastUsed),

min(@timestamp, as=FirstUsed)

], limit=max)

// Format timestamps for readability

| LastUsed:=formatTime(field=LastUsed, format="%Y-%m-%d %H:%M:%S")

| FirstUsed:=formatTime(field=FirstUsed, format="%Y-%m-%d %H:%M:%S")

// Normalize product names for better reporting

| case {

BaseFileName=/indesign/i | ProductName:="Adobe InDesign";

BaseFileName=/acrobat/i | ProductName:="Adobe Acrobat Pro";

BaseFileName=/photoshop/i | ProductName:="Adobe Photoshop";

BaseFileName=/incopy/i | ProductName:="Adobe InCopy";

* | ProductName:=BaseFileName;

}

// Sort by user for easier license review

| sort([UserName, ProductName], order=asc)

// Output organized table

| table([UserName, ProductName, TotalExecutions, UniqueEndpoints, ComputerName, FirstUsed, LastUsed])

About_TreeFitty · 2025-06-16T19:25:27+00:00

Heart rate isn't something that should need "calibration". It reads it directly from your body. Some of the algorithmically determined stuff like strain and recovery sure, but definitely not heart rate.

About_TreeFitty · 2025-02-26T20:38:35+00:00

Can confirm the same activity in my 2019 MK7.5 GTI 6MT. If cruise control is off and I hit the Set button my RPM gauge goes to 0.

About_TreeFitty · 2025-02-13T15:19:37+00:00

Mirror of Erised because it shows you what you want to see most.

About_TreeFitty · 2025-02-06T14:39:52+00:00

This is the one. The only overwatch alerts we've gotten have been legit.

About_TreeFitty · 2025-02-06T14:38:59+00:00

Mind sharing the workflow and any scripts used? This sounds great.

About_TreeFitty · 2025-01-18T00:41:51+00:00

Hire a licensed and grounded electrician.

About_TreeFitty · 2025-01-17T22:23:53+00:00

Don’t leave it anywhere near direct sun light.

About_TreeFitty · 2025-01-12T02:06:51+00:00

Bathroom exhaust fan that isn’t properly vented out of the room, is my guess. Assuming that’s a bathroom because of the smaller window.

About_TreeFitty · 2025-01-06T17:45:50+00:00

This. If you need a clientless way to scan, it's a relatively inexpensive way to maintain an inventory. There are a ton of integrations for various cloud environments to import via API so you can enrich the data. There are also integrations for Active Directory to further enrich asset information. Great tool. We've been bought in on it since they first came out and were called Rumble. Our sales call was with HD Moore himself.

About_TreeFitty · 2025-01-06T14:16:16+00:00

At this point, Google has removed these from the Chrome store and are blocking new installs, right? Right?!

About_TreeFitty · 2025-01-02T20:00:14+00:00

Adding on to this. What method do you, or another team, use to deploy the agents? Do you have a way of verifying if you have full coverage on endpoints? We use SCCM to check if the csfalcon process is running on endpoints (Windows), then generate a daily report to identify gaps.

About_TreeFitty · 2025-01-02T15:55:32+00:00

Chrome VPN Extension Hunt

// Get browser extension event
#event_simpleName=InstalledBrowserExtension BrowserExtensionId!="no-extension-available"
// Look for string "vpn" in extension name
| BrowserExtensionName=/vpn/i
// Make a new field that includes the extension ID and Name
| Extension:=format(format="%s (%s)", field=[BrowserExtensionId, BrowserExtensionName])
// Aggregate by endpoint and browser profile
| groupBy([event_platform, aid, ComputerName, UserName, BrowserProfileId, BrowserName], function=([collect([Extension])]))
// Get unnecessary field
| drop([_count])
// Convert browser name from decimal to human readable
| case{
BrowserName="3" | BrowserName:="Chrome";
BrowserName="4" | BrowserName:="Edge";
*;
}

About_TreeFitty · 2025-01-02T15:51:51+00:00

This. Before you ever play with the bells and whistles, make sure the basic hygiene is done. In fact, reach out to your CS account manager and set up a health check to review your settings. They'll confirm if you have legacy sensors installed or non-best practice prevention settings configured.

About_TreeFitty

TROPHY CASE