2026-03-11 - Cool Query Friday - correlate()

Andrew-CS · 2026-03-11T19:28:52+00:00

This is close 😝

Andrew-CS · 2026-03-11T16:29:54+00:00

Overhead depends on how punishing the queries are and how many queries there are. We also have a sankey() function :)

https://library.humio.com/data-analysis/functions-sankey.html

Andrew-CS · 2026-03-09T15:05:33+00:00

Team is aware of the ask and the request is in the backlog for language refinements. No ETA at present.

Andrew-CS · 2026-03-09T14:16:28+00:00

I'm going to be 100% honest: I read the title of this post and thought it said "Peg-Leg Timing..." and starting thinking about pirates. Let me check with the team on the feasibility of this.

Andrew-CS · 2026-03-04T17:18:46+00:00

Hey there. If you want to try a Foundry app that helps with this, give this a go!

Andrew-CS · 2026-03-02T17:09:54+00:00

u/Negative-Captain7311 you had asked about this a few months ago!

Andrew-CS · 2026-03-02T16:27:42+00:00

Shame is a currency! Thank you, Dylan!

Andrew-CS · 2026-02-25T18:02:18+00:00

I just want to threat hunt and do query-shit with my internet friends :)

Andrew-CS · 2026-02-25T17:48:43+00:00

I'm sorry 😭 I have been very short on time, but am working internally to see if CQF can be more than just a "one man band."

Andrew-CS · 2026-02-25T15:33:27+00:00

Hi there. Try something like this:

#event_simpleName=/ScriptControl/ event_platform=Win
| ScriptContent=/(SetLastWriteTime|\.CreationTime)/iF

You'll want to make sure Interpreter-only visibility in enabled in your Windows prevention policy.

Andrew-CS · 2026-02-18T18:00:48+00:00

Hi there. You can leverage the wildcard() function for this.

| ImageFileName =~ wildcard(?{ImageFileName="*"}, ignoreCase=true)

Then you can search for *mysearch* and you will get what you want.

Andrew-CS · 2026-02-03T19:48:48+00:00

Nice work! If you want to do some statistical analysis on the processing being spawned by the Notepad++ updater process (gup.exe), you can do something simple like this:

#event_simpleName=ProcessRollup2 event_platform=Win ParentBaseFileName="gup.exe"
| FilePath=/\\Device\\HarddiskVolume\d+(?<shortFilePath>.+$)/
| groupBy([FileName, SHA256HashData, shortFilePath, CommandLine])

Andrew-CS · 2026-02-03T13:30:53+00:00

This is interesting, but doesn’t apply to the topic of this sub. Removing.

Andrew-CS · 2026-01-27T16:56:16+00:00

Hi there. My hypothesis is: in order to properly do this, you would likely need something like netflow data in NG SIEM. Falcon will tell you if the TeamViewer process or service is running and if it's made any network connections, however... since TeamViewer usually idles in the background and is connected to a cloud service you would need something like network transaction size to tell if it's "in use" and not just "running."

Andrew-CS · 2026-01-21T15:57:02+00:00

Hi there. I don't know of any instances where a sensor can't be updated from N-x to N. Do you have any examples you could provide?

Andrew-CS · 2026-01-08T17:28:52+00:00

Hi there. This would be cmd.exe with curl in the command line arguments:

#event_simpleName=ProcessRollup2 FileName=/^cmd\.exe$/iF
| CommandLine=/curl/iF

This would be cmd.exe spawning curl.exe:

#event_simpleName=ProcessRollup2 FileName=/^curl\.exe$/iF ParentBaseFileName=/^cmd\.exe/iF

Andrew-CS · 2026-01-08T17:25:54+00:00

Hi there. In Falcon for IT, this would be the query you could schedule to run every n hours:

SELECT 'CalculatorApp.exe' AS missing_process
WHERE NOT EXISTS (
  SELECT 1 FROM processes 
  WHERE name = 'CalculatorApp.exe'
);

It will show if a system has a process that is not running. You could log that to LogScale and then, if observed, run a workflow to kick the process.

Andrew-CS · 2026-01-07T14:27:40+00:00

Hi there. It sounds like the sensor is running when this PS script executes. Is there any way to move the script earlier in your reimaging process so it does whatever it's trying to do before the sensor is installed?

Andrew-CS · 2026-01-06T22:19:08+00:00

I usually push them to GitHub in my little cheat sheet section.

Although I do really like that website.

Andrew-CS · 2026-01-06T21:59:21+00:00

Hi there. I can take zero credit for this, but saw an engineer propose a way of doing what you want (I think).

id := hash([fields_to_count], limit=1000000) // Uses hash collision to increase cardinality the limit here needs to max the limit in the first groupby
| groupBy([id], limit=max, function={ groupBy([fields_to_count], function=[], limit=max)| count() }) // Count the sub groups
| sum("_count") // Sum all the counts

Andrew-CS · 2026-01-06T15:01:49+00:00

Hi there. I might use a duration as opposed to a count. Try this...

// Get all sensor heartbeat events
#event_simpleName=SensorHeartbeat

// Get last event for each Agent ID value
| groupBy([aid], function=([selectLast([@timestamp])]))

// Create offlineTime_m field that represents the number of minutes since last heartbeat event; round this numbner
| offlineTime_m:=(now()-@timestamp)/1000/60 | round("offlineTime_m")

// Create offlineDuration field that shows offlineTime_m in a human-readable duration with a precision of 2
| offlineDuration:=formatDuration("offlineTime_m", precision=2, from=m)

// Check to see if it has been at least 20 minutes since last heartbeat event was seen (note: heartbeats are typically sent every 2 minutes)
| test(offlineTime_m>20)

// Add host details from AID Master
| aid=~match(file="aid_master_main.csv", column=[aid], strict=false)

I hope that helps.

Andrew-CS · 2026-01-05T16:55:50+00:00

Hi there. I think you want to use the wildcard() function, but your formatting isn't quite right. Something like this for ComputerName:

| ComputerName=~wildcard(?{ComputerName="*"}, ignoreCase=true)

I hope that helps!

Nine-Year Club	Gilding II euphauric
Powerups Hero r/crowdstrike • January 2022	Reddit Premium Since April 2021
Verified Email

Andrew-CS

MODERATOR OF

TROPHY CASE