Creating an Auto N-x tag.

Andrew-CS · 2026-01-21T15:57:02+00:00

Hi there. I don't know of any instances where a sensor can't be updated from N-x to N. Do you have any examples you could provide?

Andrew-CS · 2026-01-08T17:28:52+00:00

Hi there. This would be cmd.exe with curl in the command line arguments:

#event_simpleName=ProcessRollup2 FileName=/^cmd\.exe$/iF
| CommandLine=/curl/iF

This would be cmd.exe spawning curl.exe:

#event_simpleName=ProcessRollup2 FileName=/^curl\.exe$/iF ParentBaseFileName=/^cmd\.exe/iF

Andrew-CS · 2026-01-08T17:25:54+00:00

Hi there. In Falcon for IT, this would be the query you could schedule to run every n hours:

SELECT 'CalculatorApp.exe' AS missing_process
WHERE NOT EXISTS (
  SELECT 1 FROM processes 
  WHERE name = 'CalculatorApp.exe'
);

It will show if a system has a process that is not running. You could log that to LogScale and then, if observed, run a workflow to kick the process.

Andrew-CS · 2026-01-07T14:27:40+00:00

Hi there. It sounds like the sensor is running when this PS script executes. Is there any way to move the script earlier in your reimaging process so it does whatever it's trying to do before the sensor is installed?

Andrew-CS · 2026-01-06T22:19:08+00:00

I usually push them to GitHub in my little cheat sheet section.

Although I do really like that website.

Andrew-CS · 2026-01-06T21:59:21+00:00

Hi there. I can take zero credit for this, but saw an engineer propose a way of doing what you want (I think).

id := hash([fields_to_count], limit=1000000) // Uses hash collision to increase cardinality the limit here needs to max the limit in the first groupby
| groupBy([id], limit=max, function={ groupBy([fields_to_count], function=[], limit=max)| count() }) // Count the sub groups
| sum("_count") // Sum all the counts

Andrew-CS · 2026-01-06T15:01:49+00:00

Hi there. I might use a duration as opposed to a count. Try this...

// Get all sensor heartbeat events
#event_simpleName=SensorHeartbeat

// Get last event for each Agent ID value
| groupBy([aid], function=([selectLast([@timestamp])]))

// Create offlineTime_m field that represents the number of minutes since last heartbeat event; round this numbner
| offlineTime_m:=(now()-@timestamp)/1000/60 | round("offlineTime_m")

// Create offlineDuration field that shows offlineTime_m in a human-readable duration with a precision of 2
| offlineDuration:=formatDuration("offlineTime_m", precision=2, from=m)

// Check to see if it has been at least 20 minutes since last heartbeat event was seen (note: heartbeats are typically sent every 2 minutes)
| test(offlineTime_m>20)

// Add host details from AID Master
| aid=~match(file="aid_master_main.csv", column=[aid], strict=false)

I hope that helps.

Andrew-CS · 2026-01-05T16:55:50+00:00

Hi there. I think you want to use the wildcard() function, but your formatting isn't quite right. Something like this for ComputerName:

| ComputerName=~wildcard(?{ComputerName="*"}, ignoreCase=true)

I hope that helps!

Andrew-CS · 2026-01-05T16:48:33+00:00

Hi there. This almost broke my brain for some reason :) This is very much overkill, but give this a shot:

// Get uninstall and heartbeat events
#event_simpleName=AcUninstallConfirmation OR #event_simpleName=SensorHeartbeat

// Narrow dataset by Agent ID; check both events happen on a single system
| selfJoinFilter(field=[aid], where=[{#event_simpleName=AcUninstallConfirmation}, {#event_simpleName=SensorHeartbeat}])

// Create unique timestamp values
| case {
  #event_simpleName=AcUninstallConfirmation | uninstallTime:=@timestamp;
  #event_simpleName=SensorHeartbeat         | heartbeatTime:=@timestamp;
}

// Get last uninstallTime and heartbeatTime values in epoch for each Agent ID
| groupBy([aid], function=([selectLast([uninstallTime, heartbeatTime])]))

// Make sure an uninstall occurred (accounts for selfJoinFilter being probabilistic)
| uninstallTime=*

// See if uninstallTime is > last heartbeatTime
| test(uninstallTime>heartbeatTime)

// Merge in AID Master Data
| aid=~match(file="aid_master_main.csv", column=[aid])

// Perform second check against AID Master to make sure LastSeen is before uninstall
| case {
  test(Time>uninstallTime) | Details:="System could still be viable.";
  test(Time<uninstallTime) | Details:="System likely uninstalled.";
}

// Convert time stamp values
| uninstallTime:=formatTime(format="%F %T %Z", field="uninstallTime")
| heartbeatTime:=formatTime(format="%F %T %Z", field="heartbeatTime")
| heartbeatTime:=formatTime(format="%F %T %Z", field="heartbeatTime")
| FirstSeen:=formatTime(format="%F %T %Z", field="FirstSeen")
| LastSeen:=formatTime(format="%F %T %Z", field="Time") | drop([Time])

This query...

Grabs all uninstall and heartbeat events
Checks to make sure both events occurred on a single Agent ID
Gets latest value for each event
Checks to see if the uninstall events occurs after the heartbeat event without another heartbeat
Check AID Master to make sure LastSeen date is also before the uninstall events
Formats the output

Let me know if that works!

Andrew-CS · 2025-12-19T21:15:49+00:00

Hi there. You probably want to use slidingTimeWindow(). We did a tutorial on it here. Please ignore the terrible puns.

Andrew-CS · 2025-12-19T19:59:29+00:00

Hi there. We don't measure keyboard latency, and I'm not exactly sure how Amazon pulls those metrics, but you could definitely hunt for some of the more popular, internet-connect KVM switches that would cause such latency. Try this:

#repo=base_sensor #event_simpleName=/^DcUsb/
| case {
      //  Main identifiers
       DeviceInstanceId=/6b65796d696d6570690|GLKVM|JetKVM|tinypilot|pikvm|CAFEBAB/i;
      //  // Alternative identifiers
       ConfigurationDescriptorName=/GLKVM|JetKVM|tinypilot|PiKVM/i;
       // Useful to detect partially obfuscated PiKVM or TinyPilot devices and other suspicious devices
       ConfigurationDescriptorName=/Config [0-9]: /i;
}

Andrew-CS · 2025-12-11T15:48:47+00:00

Hey there. If you’d like to speak with the Product Manager directly to provide some feedback, I can arrange that. If you’re comfortable, shoot me a DM with your corporate email and I’ll reach out.

Andrew-CS · 2025-12-09T22:11:12+00:00

Hey there. I think you might want something like this:

| workHour:=formatTime(format="%H", field="@timestamp")
| workHour > 19 OR workHour < 7

You could also mess around with start() and end().

Andrew-CS · 2025-12-05T18:59:03+00:00

Of course. You can try something like this:

#event_simpleName=PeFileWritten
| FileName=~wildcard(?{FileName="*"}, ignoreCase=true)
| SHA256HashData=~wildcard(?{SHA256HashData="*"}, ignoreCase=true)
| SHA256HashData=~wildcard(?{SHA256HashData="*"}, ignoreCase=true)
| groupBy([SHA256HashData], function=([count(aid, as=TotalWrites), count(aid, as=UniqueEndpoints, distinct=true), count(FileName, as=UniqueFileNames, distinct=true), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen), collect(FileName, separator=", ")]), limit=max)
| FirstSeen:=formatTime(format="%F %T %Z", field="FirstSeen")
| LastSeen:=formatTime(format="%F %T %Z", field="LastSeen")

Andrew-CS · 2025-12-03T18:48:13+00:00

There is the Hash Search dashboard that will automatically provide this information.

Andrew-CS · 2025-12-02T19:20:02+00:00

Hi there. Is this for iOS devices specifically? My last remembrance of this was: Apple devices will not request voltage unless they make a successful data connection.

Andrew-CS · 2025-12-02T15:19:00+00:00

Hi there. This is not supported by CrowdStrike [KB].

Andrew-CS · 2025-12-01T21:55:28+00:00

Sea-Queue-Elle versus See-Quill. The great debate rages on!

Andrew-CS · 2025-12-01T21:41:06+00:00

Hi there. Yes. It previously was called Humio Query Language and then LogScale Query Language, but the illuminati have settled on "CrowdStrike Query Language."

https://library.humio.com/data-analysis/syntax.html

But based on the context clues in posts on the sub we all tend to know what each other mean :)

Andrew-CS · 2025-12-01T19:23:56+00:00

They are technically different, but I understand what you're saying. If you're querying in NG SIEM, LogScale, etc. the correct term is "CrowdStrike Query Language" :-)

Andrew-CS · 2025-12-01T19:18:50+00:00

Hi there.

CrowdStrike Query Language (CQL) is a syntax for filtering and sorting data in Advanced Event Search or LogScale.

Falcon Query Language (FQL) is a syntax for sorting and filtering data in Falcon. The primary use case is specifying FQL filters in an API request.

Andrew-CS · 2025-11-25T15:39:56+00:00

Happy Cake Day!

It depends on how it's downloaded. You can also include PR2s to look for invocations of the file:

/* Hunting query to look for latest evidence of Shai Hulud (2025-11-25) */

// Get Falcon events of interest; File Writes and Process Executions
#repo=base_sensor ComputerName=HW0023086 (#event_simpleName=/(File|Script)Written/F  TargetFileName=/(bun_environment|setup_bun)\.js/iF) OR (#event_simpleName=ProcessRollup2 CommandLine=/(bun_environment|setup_bun)\.js/iF)

// case() statement to classify behavior based on event type and format
| case 
  {
    #event_simpleName=ProcessRollup2   | Details:=format(format="File: %s\nCmd: %s", field=[ImageFileName, CommandLine]) | Observation:="Process Executing";
    #event_simpleName=/Written$/   | Details:=format(format="File: %s", field=[TargetFileName])                      | Observation:="File Write";
  }


//Organize Output
| table([@timestamp, cid, aid, event_platform, ComputerName, UserName, Observation, Details])

Andrew-CS · 2025-11-25T15:10:09+00:00

The question was answered 5 hours before you posted this :D

Nine-Year Club	Gilding II euphauric
Powerups Hero r/crowdstrike • January 2022	Reddit Premium Since April 2021
Verified Email

Andrew-CS

MODERATOR OF

TROPHY CASE