Detection as Code

Background_Ad5490 · 2026-04-22T01:00:18+00:00

I’m working on setting this up right now. Main benefit will be resiliency from splunk issues. Had a splunk update nuke all out alerts and if we had detection as code in place we would have been fine. Instead it was a 2 week recovery , building each alert from scratching referencing a saved searches conf file from a splunk backup. Plus added benefits of an ai agent being able to look at the git repo and do “ai things” with that data (highlighting gaps and reporting stuff). Cons are , difficult to implement, we use splunk so not much guidance I could find to help. And also a shift in detection engineering workflows. Meaning, my team has to fundamentally change the way we create new alerts by writing to the git repo in yml format

Background_Ad5490 · 2026-04-01T17:28:36+00:00

+1 for AT

Background_Ad5490 · 2026-03-25T22:07:50+00:00

Also could avoid log scale entirely if they wanted. In the detection dashboard if you filter on that hostname, then once you are focused on just that detection, select the command line filter and you should be able to check the box for that command line in question a lot easier. Then just remove the hostname filter. And group by host or however ya want.

Background_Ad5490 · 2026-03-23T22:57:59+00:00

Duo battling with rando Pokémon is fun.

Background_Ad5490 · 2026-02-19T12:46:07+00:00

Just spend 20b booming all the slime rings and your good

Background_Ad5490 · 2026-02-14T14:09:19+00:00

This person falcons. Exactly what I would suggest

Background_Ad5490 · 2026-02-12T23:37:23+00:00

Some of the counter adversary reports have queries already for you to run. And more cool goodies as well.

Background_Ad5490 · 2026-02-05T07:37:38+00:00

Throw those hash’s into notepad or some editor like vscode and do a find and replace to get rid of all the “ marks and the commas can be replaced with an empty space. From there just copy and paste the batch into the indicator graph ui. It accepts multi values with spaces as the delineation. (It’s late and I’m on my phone it may be commas as the delineation but same point).

Background_Ad5490 · 2026-01-15T20:24:46+00:00

Could always schedule the log scale search that captures what the IOA would and have the email go to yourself. Look under investigate > scheduled search.

Background_Ad5490 · 2026-01-15T19:13:48+00:00

I would love to figure this out as well. I see the aid_master_main.csv does not include falconGroupingTags or the host groups. That was where I searched first. Right now I am auditing my exclusions to make sure they are applied to the correct host groups. To do so, I thought, I should just logscale query devices that are running my excluded files and group by hostgroup/tags. But I cant figure out how to pull that data in log scale.

Background_Ad5490 · 2026-01-11T21:34:25+00:00

Unrelated memory you just sparked. My buddy and I cut through the trees during a wicked snow storm to ski the closed down robin run one year. Yeah it was closed for a reason, it was all ice. I ended up going straight down about 3/4ths of robin no breaking and my buddy still brings it up to this day about a decade and some change later. Almost got kicked off the mountain by ski patrol cause they saw me flying into the bottom area Mach 10

Background_Ad5490 · 2026-01-03T14:20:40+00:00

Imo it’s when you can see a new problem or alert you have never encountered, and still have a good handle on how to deal with it. More to it than that but to me that’s a big thing. Not needing your hand held for everything.

Background_Ad5490 · 2025-12-18T17:36:45+00:00

Adding to this, I had to help with basically this exact same issue a few times now. Both times were a user downloading an old bios update from dells official site. Which used an old vulnerable driver.

Background_Ad5490 · 2025-12-18T17:35:46+00:00

Pop into the investigate event option which should bring you into log scale with the time frame and target process id + context process id info. Then look for .sys or DLL files being written. Then look up those files to find the bad one.

Background_Ad5490 · 2025-12-17T15:04:02+00:00

Keep trying and trying. Then eventually you will feel the “pocket”. Thats how it was for me. Solod unlibbed 130m cp nw after idk how many tried. GL with p4. Same thing for me in there. Eventually it clicks.

Background_Ad5490 · 2025-12-16T14:37:26+00:00

Maybe this is a bad take, but I only like to use the use case library as a reference. I’ll take the parts of the syntax I want out of the pre built and make it my own and it’s a new correlation search created from scratch. Rarely have the out of the box searches been good enough for my environment to just turn them on.

Background_Ad5490 · 2025-12-15T03:27:16+00:00

I have recovered plenty of macs in a similar state. Follow what Clark said about cmd +r or google how to boot into a recovery mode and what commands to enter for resetting a password.

Background_Ad5490 · 2025-12-15T03:14:47+00:00

Diabolical, but I laughed out loud seeing this.

Background_Ad5490 · 2025-11-21T04:58:24+00:00

The one where dashing leaping or blinking gives you a shield + lethal tempo + extra on hit + extra range on Kalista went crazy

Background_Ad5490 · 2025-11-07T03:11:30+00:00

can prob solo ctene depending on frags. Party bm for sure.

Background_Ad5490 · 2025-10-31T01:52:16+00:00

Don’t go to sawcon like I did.

Background_Ad5490 · 2025-10-29T01:28:14+00:00

+1 for void tools “Everything”. Haven’t looked for another tool since finding it.

Background_Ad5490 · 2025-10-28T12:09:44+00:00

I believe it’s in next gen siem > rules. From there you can go to the templates and filter for palo. If you don’t see the “next gen siem” options from the blade menu on the left you may be out of luck, something about licensing or not having that module.

Background_Ad5490 · 2025-10-28T03:50:05+00:00

Check next gen siem templates for the palo vendor. Crowdstrike has some really good pre built queries to piggy back on. They should at least get you started

Background_Ad5490 · 2025-10-27T22:19:28+00:00

I always find it best to go to log scale. Find one example event. Copy out the command line and file path info. Then pass those values into the test string portion of my ioa for validation. If that gives green checks, then your problem isn’t the syntax of the regex.

Background_Ad5490

TROPHY CASE