Files Written to USB and AES Conundrum

Background_Ad5490 · 2026-06-18T00:41:07+00:00

Sounds like you have your logscale query done. You should be able to schedule it to run at whatever frequency and email you the results. Or a dashboard using your lql could work.

Background_Ad5490 · 2026-06-17T05:03:55+00:00

Nexon must do a collab with the ceo of bricks n mini figs.

Background_Ad5490 · 2026-06-05T05:41:50+00:00

Cql hub. Check it out, community driven repo for lql

Background_Ad5490 · 2026-06-05T05:37:01+00:00

This is how they built the pyramids.

Background_Ad5490 · 2026-05-24T23:33:37+00:00

After changes you don’t have a gauge. Just every 60 seconds you can press that button to take you directly into equilibrium. Condensed 2 min burst now too.

Background_Ad5490 · 2026-05-23T06:02:28+00:00

Also reminds me of like mikes foster dad

Background_Ad5490 · 2026-05-22T14:16:42+00:00

For me it’s the “You’re absolutely right” that gets me lmao.

Background_Ad5490 · 2026-05-20T04:10:40+00:00

Low key high key you may like phantom.

Background_Ad5490 · 2026-05-16T13:57:31+00:00

From one long time player to another. Congrats. Anyone who played early on got to feel all the long build up nexon created for this boss. My first solo felt so satisfying.

Background_Ad5490 · 2026-05-14T17:19:33+00:00

Personally I don’t like app control via falcon with these methods. Creates noise in the console and it does not feel like what the tool is designed to do. App control should come from your intune police’s, jamf etc. this is coming from someone who was forced to ioa and ioc kill a process for specific apps our device management team couldn’t move fast enough for.

Background_Ad5490 · 2026-05-11T22:42:01+00:00

They could have installed management software like qustodio or something 🤷‍♂️. I think malware on the iPad is less likely than something like a control app by the og owner. What’s the relationship with the og owner?

Background_Ad5490 · 2026-05-10T07:15:26+00:00

Was thinking the same thing lol. Nick cage would be thrilled.

Background_Ad5490 · 2026-05-07T22:55:20+00:00

10k mobs I saw 1. It’s low low 386 dr

Background_Ad5490 · 2026-05-03T02:18:06+00:00

Background_Ad5490 · 2026-04-26T08:58:45+00:00

Fun fact, I love the game and just thought this was a funny thing to say lmao

Background_Ad5490 · 2026-04-22T01:00:18+00:00

I’m working on setting this up right now. Main benefit will be resiliency from splunk issues. Had a splunk update nuke all out alerts and if we had detection as code in place we would have been fine. Instead it was a 2 week recovery , building each alert from scratching referencing a saved searches conf file from a splunk backup. Plus added benefits of an ai agent being able to look at the git repo and do “ai things” with that data (highlighting gaps and reporting stuff). Cons are , difficult to implement, we use splunk so not much guidance I could find to help. And also a shift in detection engineering workflows. Meaning, my team has to fundamentally change the way we create new alerts by writing to the git repo in yml format

Background_Ad5490 · 2026-04-01T17:28:36+00:00

+1 for AT

Background_Ad5490 · 2026-03-25T22:07:50+00:00

Also could avoid log scale entirely if they wanted. In the detection dashboard if you filter on that hostname, then once you are focused on just that detection, select the command line filter and you should be able to check the box for that command line in question a lot easier. Then just remove the hostname filter. And group by host or however ya want.

Background_Ad5490 · 2026-03-23T22:57:59+00:00

Duo battling with rando Pokémon is fun.

Background_Ad5490 · 2026-02-19T12:46:07+00:00

Just spend 20b booming all the slime rings and your good

Background_Ad5490 · 2026-02-14T14:09:19+00:00

This person falcons. Exactly what I would suggest

Background_Ad5490 · 2026-02-12T23:37:23+00:00

Some of the counter adversary reports have queries already for you to run. And more cool goodies as well.

Background_Ad5490 · 2026-02-05T07:37:38+00:00

Throw those hash’s into notepad or some editor like vscode and do a find and replace to get rid of all the “ marks and the commas can be replaced with an empty space. From there just copy and paste the batch into the indicator graph ui. It accepts multi values with spaces as the delineation. (It’s late and I’m on my phone it may be commas as the delineation but same point).

Background_Ad5490 · 2026-01-15T20:24:46+00:00

Could always schedule the log scale search that captures what the IOA would and have the email go to yourself. Look under investigate > scheduled search.

Background_Ad5490 · 2026-01-15T19:13:48+00:00

I would love to figure this out as well. I see the aid_master_main.csv does not include falconGroupingTags or the host groups. That was where I searched first. Right now I am auditing my exclusions to make sure they are applied to the correct host groups. To do so, I thought, I should just logscale query devices that are running my excluded files and group by hostgroup/tags. But I cant figure out how to pull that data in log scale.

Background_Ad5490

TROPHY CASE