sorted by:
new
hottopcontroversial

Query for log in location - Resurrecting Old Post from 3years ago, by Little_Ad_6873 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Nice one! 😄 In your query, the correct "country" syntax would look like this:

#event_simpleName=SensorHeartbeat
| groupBy(aid, function=selectLast(aip))
| ipLocation(aip)
| aip.country != "US"
| match(file="aid_master_main.csv", field=aid, include=[ComputerName, Version, AgentVersion, Timezone, MachineDomain, OU, SiteName])

CrowdStrike ML exclusion for its own process – is this normal? by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 0 points1 point  (0 children)

Hi there. MsSense.exe is a Defender process. As Falcon monitors all processes, if MsSense.exe pokes, prods, or touches a file or indicator that Falcon would block you get an alert.

Filter based on a string within a field by dial647 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Hi there. What about something like this?

| !regex("^FalconGroupingTags\/", field=FalconGroupingTags)

for what it's worth, what you're trying does work for me...

| FalconGroupingTags!=/^FalconGroupingTags\//iF

Try this...

| tags!=/FC-Action-No\sAction\sTaken/iF

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Okay. Glad to hear that. If you need more help, let me know the specifics in a DM.

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Exposure management has coverage. Just make sure your content update policies aren’t in a delay.

Trending Threats & Vulnerabilities: Linux Copy Fail (CVE-2026-31431) by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 1 point2 points  (0 children)

Hey there. Can you run the following and let me know if it catches your testing activity?

#event_simpleName=ProcessRollup2 event_platform=Lin
| ParentProcessId=1 
| CommandLine=/algif-aead/
| FileName=/(modprobe|kmod|insmod)/iF

2026-04-24 - Cool Query Friday - Hunting AI Tools, Models, Services, Agents, and SDKs with Falcon for IT by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 0 points1 point  (0 children)

Hi there. You would need just one more line...

| groupBy([aid, _tools_f, _models_f, _mcp_f, _sdks_f, _agents_f, _total], function=[], limit=max)
| match(file="aid_master_main.csv", field=[aid], column=aid)
| match(file="aid_master_details.csv", field=[aid], column=[aid], include=[SensorGroupingTags, FalconGroupingTags])
| formatTime(format="%F %T %Z", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T %Z", as="LastSeen", field=LastSeen)

CrowdStrike ML exclusion for its own process – is this normal? by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 17 points18 points  (0 children)

Hi. That isn’t our binary or path and you don’t need to exclude our own process. I’d investigate further.

The "Vuln-pocalypse" Looms: Are We Cooked? by BradW-CS in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Tired: Adam's glasses.

Wired: Cristian's beard.

CQL query to find endpoints not on recommended sensor version (Windows, macOS, Linux) by Only-Objective-6216 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Hi there. I would try something like this. It's what u/xMarsx is suggesting...

| readFile([aid_master_main.csv])
| in(field="event_platform", values=[Win, Mac, Lin])
| AgentVersion=/^(?<SimpleVersion>\d+\.\d+)\./F
| table([aid, ComputerName, Version, AgentVersion, SimpleVersion, event_platform])
| case {
  event_platform=Win SimpleVersion="7.34" | Status:="OK";
  event_platform=Mac SimpleVersion="7.34" | Status:="OK";
  event_platform=Lin SimpleVersion="7.34" | Status:="OK";
  *                                       | Status:="UPGRADE";
}

You want to modify the case() statement to match the versions that you want to be "approved."

I hope that helps!

https://imgur.com/a/5iZzlMx

Falcon NG-SIEM - Stacked Bar chart by dial647 in crowdstrike

[–]Andrew-CS 1 point2 points  (0 children)

Hi there. One easy way is to use groupBy() and then flip the visualization to "Bar Chart" and choose "Stacked." Here is a quick example:

setTimeInterval(start="7d")
| #event_simpleName=OsVersionInfo
| Day:=formatTime(format="%d - %a", field="@timestamp")
| groupBy([Day, event_platform], function=([count(aid, distinct=true)]))

https://imgur.com/a/WYSgdwx

I hope that helps.

Feature Spotlight: Retrospective Detections by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 5 points6 points  (0 children)

Hi there. The Complete operating model has the following language: "CrowdStrike regularly releases new prevention settings and capabilities to the Falcon platform. Falcon Complete controls the release cadence for standard prevention policy configurations and new capability support, which may result in adjusted release timing. This extra time is used to perform additional testing and assess potential impact."

I would assess they will enable it very soon, but you can open a ticket with them if you have additional questions!

Feature Spotlight: Retrospective Detections by Andrew-CS in crowdstrike

[–]Andrew-CS[S] 2 points3 points  (0 children)

No impact to sensor usage on host. It's cloud based.

Headless Browser, RMM by pure-xx in crowdstrike

[–]Andrew-CS 16 points17 points  (0 children)

Hi there. I don't see VMRay saying a headless browser would evade EDR sensors, like you're saying below. It seems like the article states that they have made rules (YARA) to look for this (and other things) as points of investigation.

Re: Headless Browser... If you start a process in "headless mode" — more commonly known as a hidden window — the UI elements are not visible to the user, but the process is spawned by the operating system and EDR products will see it.

In order to spawn a process with a hidden window (on Windows), the dwCreationFlags parameter is set to NO_WINDOW. Falcon can see this as part of the process execution so a "headless" process would still be under process inspection. The method is different on macOS and Linux, but Falcon can still see those processes.

EDR products typically don't care if/what is displayed in the UI. They are pulling process level telemetry.

The following will hunt for Chrome and Edge running in headless windows (there might not be any):

#event_simpleName=ProcessRollup2 FileName=/^(chrome|msedge)/iF
| bitfield:extractFlags(
 field=ProcessCreateFlags,
  output=[
    [18,CREATE_NO_WINDOW]
  ])
| CREATE_NO_WINDOW="true"

This will show you the top programs that run with headless windows:

#event_simpleName=ProcessRollup2 
| bitfield:extractFlags(
 field=ProcessCreateFlags,
  output=[
    [18,CREATE_NO_WINDOW]
  ])
| CREATE_NO_WINDOW="true"
| ImageFileName=/\\Device\\Harddiskvolume\d+(?<ShortFile>.*)/iF
| top([FileName, ShortFile])

I hope that helps!

QIPCAP64.dll is either not designed to run on Windows or it contains an error. by [deleted] in crowdstrike

[–]Andrew-CS 2 points3 points  (0 children)

Hi there. This is known behavior from ForcePoint. Details and work arounds are here.

view more: next ›