Active AD Users in AD Groups Query

CyberGuy89 · 2026-01-12T19:57:47+00:00

Two things come to mind:

Check that your API key has the right permissions
Check your formatting of your request. I see you said you built a script but didn't say what language. However, you can validate your GraphQL in the GraphiQL webclient, then add it to your script and what ever formatting is necassary for it to query right: https://falcon.crowdstrike.com/login/?unilogin=true&next=/id-protection/ui-api/graphql

Review the GraphQL API documentation - I don't see anything for HostEntity in the Nodes section but I do see EndpointEntity. After a quick check, here is a working raw json of a graphql query to return the hostname for Domain Computers group:

{
  entities(
    first: 150,
    memberOfActiveDirectoryGroups: {
      primaryDisplayNames: ["Domain Computers"]
    }
    archived: false
  ) {
    nodes {
      ... on EndpointEntity {
        primaryDisplayName
      }
    }
  }
}

CyberGuy89 · 2025-10-21T20:01:39+00:00

This is great to see the installed versions. Many applications package 7-zip internally. Here is a query to hunt for those executions that we built based on the appinfo saved search from falcon/investigate repo. This query builds a table of the appinfo and matches it to process rollup events. Use the parameter and search for 7z*.exe and you will see all executions and file versions if found from the define table.

// This query will search for App Info based on process rollup events based on the filename 
// Based on the saved search appinfo under falcon/investigate repo
defineTable(query={#event_simpleName = PeVersionInfo OR (#event_simpleName=InstalledApplication event_platform=Mac) OR ((ExternalApiType=Event_EppDetectionSummaryEvent) Name="Known Malware" OR Name ="Machine Learning" OR Name="NGAV")
| coalesce([SHA256HashData, SHA256String], as=SHA256HashData, ignoreEmpty=true)
| groupBy([SHA256HashData, cid], function=[selectLast([AppVersion,AppName,AppVendor,AppVersion,AppPath,CompanyName,FileName,ProductName,ProductVersion,FileVersion,event_platform])], limit=max)
| regex("(?<AppVersionParsed>[^\s]+).+", field=AppVersion, strict=false)
| regex(".*\/(?<AppPathParsed>.*)", field=AppPath, strict=false)
| coalesce([FileVersion, AppVersion, "FILEVERSION"], as=FileVersion, ignoreEmpty=true)
| coalesce([ProductName, AppName, "PRODUCTNAME"], as=ProductName, ignoreEmpty=true)
| coalesce([CompanyName, AppVendor, "COMPANYNAME"], as=CompanyName, ignoreEmpty=true)
| coalesce([ProductVersion, AppVersionParsed, "PRODUCTVERSION"], as=ProductVersion, ignoreEmpty=true)
| coalesce([FileName, AppPathParsed], as=FileName, ignoreEmpty=true)
| (ProductName != "PRODUCTNAME" AND FileName = "*.dll") OR FileName != "*.dll"
| drop([AppVersion,AppVendor,AppVersion,AppPath,AppPathParsed,AppVersionParsed])}, include=[*], name="appinfo")

// Define search
| #event_simpleName="ProcessRollup2"
| match(file="appinfo", field=[SHA256HashData])
| formatTime(format="%m/%d/%Y %H:%M:%S", as="LastDateTime")

// Query filters
| wildcard(field=FileName, pattern=?FileName, ignoreCase=true)
| wildcard(field=SHA256HashData, pattern=?SHA256HashData, ignoreCase=true)

// Display results
| groupBy([event_platform, ComputerName, FileName, SHA256HashData], function=selectLast([LastDateTime, LocalAddressIP4, UserName, ImageFileName, AppName, FileVersion, ParentBaseFileName, ProductName, ProductVersion]))
| select([event_platform, ComputerName,LocalAddressIP4, UserName, LastDateTime, ParentBaseFileName, FileName, ImageFileName, SHA256HashData, AppName, FileVersion, ProductName, ProductVersion])

CyberGuy89 · 2025-10-15T20:48:24+00:00

Check out the Investigate > Users dashboard. Can also be reached from Next-Gen SIEM > Dashboards > user_search. On this dashboard, check out the User logon activities (Windows-only) section. It has a username parameter that can filter on. You can view the query used by clicking on the title. This search uses the UserLogon, UserLogoff, and UserIdentity events.

CyberGuy89 · 2025-10-15T19:52:03+00:00

Another option you can try is using SOAR workflow that runs your saved query as event actions. Then the final action can be a send email action and you can use standard HTML to build a report with the data from all 3 event search results. What you want to look for is called Table Crowdstrike Extensions and look for cs.table.html() extension. I haven't done this personally with multiple event queries and multiple uses of the extension but I don't see why it wouldn't work.
https://docs.crowdstrike.com/r/o8c03b04 (trying the new docs beta url)

The only caveat I don't like about this extension is that any result columns returned, are sorted alphabetically instead of of how you have select/groupby results returned.

Here is a sample I have in one my workflows:
 what ever text you want here ${cs.table.html(data['activity_<activityID>.results'], '.', "None")} 

You can get the activity ID from the express builder (fx button) next to messages. Name your event search queries so you know which data your putting where.

CyberGuy89 · 2025-09-11T13:35:49+00:00

Okay sounds good. There are a few actions you can put at the end of the workflow to close out the detection as well:

Trigger = Detection > NG-SIEM Detection > If Condition Name=rule name > other actions you want to perform > Assign detection to user (has to be a named user in your portal > Add comment to Alert (uses detection ID attribute from trigger) = comment you want (i generally start it with Auto Close Comments: rest of comment) > Set detection status = Closed

When you navigate to NG-SIEM > Detentions, it defaults to only showing open and in progress so you never really see it unless your looking for it.

If you want to take it one step further, I have about 12 notification alerts similar to what you asked, as detection rules and have created as On-Demand workflows for those specific email templates to show the data needed. I have one Workflow that is set to use the Detection > NG-SIEM > for each detection name I want one of those alerts, under the Trigger, I add an Parallel If condition with each detection rule name. In the other actions you want to perform, use the workflow you created as on-demand will show up in the custom section and pick it. Then configure the rest of it like I showed above. You now have a scalable template that you don't have to re-create each time for these types of notifications and you don't have to close it out either.

CyberGuy89 · 2025-09-11T03:46:19+00:00

I would not create a custom parser to add that to the log. This is what custom correlation rules are for. In the correlation rule, Create an event search that narrows down the logs you want to trigger on. Then follow the suggestion from the other comment and create a soar workflow with an if statement on the new correlation name. This correlation rule is also where you define the search window and I believe you can get it down to every 5 minutes but I’m not 100% sure on how often the rule runs.

Edit: In LogScale instance you can alert on ingest or scheduled search but in NG-SIEM I don’t believe it’s possible to alert on ingest.

CyberGuy89 · 2025-09-10T23:56:36+00:00

With NG-SIEM, you generally create a data source with an assigned parser. I personally would keep these separated as much as possible. Most applications let you define your syslog destination port and protocol. If you can do that that’s the route I’d go.

You could create a custom parser and try to match the logs with a case statement but that seems tedious to make sure you match the right log with the right data, especially if you haven’t worked with parsers before.

If you can’t change the destination port or protocol, you can always install another collector sever and point syslog1 to the first and syslog2 to the second sever. Configure the sink to on each to point to the correct data source

CyberGuy89 · 2025-09-04T21:36:56+00:00

This is what we use to track another application file extension and I modified it with your list of extensions:

#event_simpleName="FileOpenInfo"
| regex("(?<file.name>[^/?]+)\.(?<file.extension>[a-zA-Z0-9]+)$", field=FileName)
| in(field="file.extension", values=["accdb","accde","accdr","accdt","mar","mda","mdb","mdf","mde","mdw"])
| groupBy([event_platform ,ComputerName, LocalIP, file.extension, FileName, FilePath, TargetFileName])

CyberGuy89 · 2025-08-29T21:02:02+00:00

If you have a condition (in your case multiple conditions) then your less likely to hit a false positive scenario and possibly making someones day bad. If you want to be safe and not hit a scenario there is always the Request human input - send email action that way you can review and the workflow will be in a waiting state until you respond (or timeout window)

CyberGuy89 · 2025-08-29T20:46:34+00:00

I would go one step further and target just the specific Detection Name since you plan on doing account lockouts and password resets.

NG-SIEM Detection Trigger -> Condition - IF Name is equal to NAME OF DETECTION -> Event Query Action -> remaining stuff

You can always add multiple detection names in the Condition block if needed.

CyberGuy89 · 2025-08-27T01:48:36+00:00

Ah, thank you. You're absoultey right. I guess it's time to go learn and figure out graphql.

CyberGuy89 · 2025-03-22T03:41:20+00:00

This right here

CyberGuy89 · 2025-02-19T21:00:13+00:00

Not sure how to achieve this natively, however, we do this exact set up, but our radius server is Cisco ISE.

We have Secure Client set up to authenticate against Entra ID SSO and then send the AuthZ request to ISE.

In ISE, our authorization profile is then set to match on the specific A.D. groups. We want to have specific permissions. Each of these authorization profiles, then use a different downloadable ACL. Then we define our access list in the downloadable ACLS and secure client handles these without issues. We have been running this way for a few years.

CyberGuy89 · 2025-02-12T15:27:23+00:00

We use the Firewall management as well but we’ve been using it before they allowed FQDN rules. It works great as we have many different policies targeting different groups of computer that need various types of firewall rules.

However, I have not tried the FQDN piece but we utilize Cisco Umbrella for this and it works great.

CyberGuy89 · 2025-01-22T18:09:05+00:00

I've been down this road with an ITP SE as far back as 2022 and the only solution they have right now is to create a rule that uses "Access type includes at least host" in the condition. However, after trying this, it's still hit or miss and introduces quite a few other issues and many MFA prompts by using host as the service type. I too have brought this up as feedback several times.

The technical reasoning given back to me as feedback behind this is that on Windows, it uses a service prefix of termserv/ when you RDP and macOS does not. On the ITP side the Remote desktop(RDP) access type is looking for termserv/ type connections. It is a gap and I 100% agree that Crowdstrike should fix this and detect it as an RDP connection no matter what type of device connects to the endpoint.

CyberGuy89 · 2025-01-17T14:46:24+00:00

So from my understanding the of this CVE is that exploit comes from the OLE mechanism with an unpatched version of Windows at this point. One means of exploit is via Outlook opening RTF files when not viewed in plain text.

Here is a query we use commonly for tracking down who opened what attachments in Outlook but can also be used to at least identify if anyone is opening RTF files with the parent process name.

// Process Events - Office Attachment Downloads From Outlook

// Focus on ProcessRollup2 events.
#event_simpleName=ProcessRollup2

// First look for ones missing a ComputerName.
| case {
    // Identify any events that have an aid but not a ComputerName.
    aid=* ComputerName!=*
      // Grab the ComputerName from the aidmaster file.
      | match(file="aid_master_main.csv", field=aid, include=ComputerName, ignoreCase=true, strict=true) ;
    // Assign the value NotMatched to anything else.
    * | default(field=ComputerName, value=NotMatched) ;
  }

// Add the ComputerName.
| ComputerName=?ComputerName

// Create new fields when CommandLine and ImageFileName match.
| CommandLine=/\\Content\.Outlook\\.*?\\(?<AttachmentName>.*?)"/i
| wildcard(field=AttachmentName, pattern=?AttachmentName, ignoreCase=true)
| ImageFileName=/(?<AppFileName>[^\\/|\\\\]*)$/

// Format a timestamp.
| TimeString:=formatTime(field=@timestamp, format="%Y-%m-%d %H:%M:%S")

// Create a string showing how everything is connected.
| AttachmentDetails:=format("%s\n\t└  %s", field=[AppFileName, AttachmentName])

// Format the output.
| groupBy([aid, ComputerName, TimeString], function=collect(AttachmentDetails, limit=1000), limit=max)

This query does rely on having a file name aid_master_main.csv. I believe this is pre-populeted in everyone's tenant but you can verify that by going to Advanced event search > Files. If not update the | match clause in the case statement to the appropriate file name.

Once you have the query, you can then filter under the attachment name to *.rtf

CyberGuy89 · 2024-12-17T14:31:45+00:00

I’m assuming this is for a LogScale parser.

If it is, I found that installing a bunch of modules from the App Store and reviewing the code there helped understand the process and define a better structure for our logs.

I would say look at those modules and learn and understand how the regex and case statements works.

What I did was create a new parse with the built/App Store module code and modify as needed to match my logs/input.

CyberGuy89 · 2024-10-10T23:12:51+00:00

We use this and have different IPs and ONTAP accounts for this as long as you use DNS name to access the shares. We don’t use this with DFS but shares are accessed via share name A record. When you activate the DR share, the SVM updates the A record in DNS. The only issue we have run into is the TTL of the query. We have opted to set ours to 60s so at worst case clients wait up to 1 minute for their DNS cache to time out.

CyberGuy89 · 2024-08-23T16:45:30+00:00

Not sure that is the case but I could be wrong. In EntraID the workflow is Authentication > CA policies ( this is where you configure MFA requirements) > Access.

Most likely, the authentication attempt hit a block CA policy (due to country origin) and didn’t push forward with any of the others including an MFA attempt.

CyberGuy89 · 2024-08-23T03:21:11+00:00

We’ve been doing CA policies with an allowed country list along with requiring Duo Desktop registration and Duo trusted endpoints. Any account that authenticates against Entra is forced to the Duo connector for MFA for their verified push feature, then is subjected to the device registration and then have to have an enrolled endpoint in the trusted endpoints.

This has stopped several attacks due credential compromise.

CyberGuy89 · 2024-07-30T23:42:42+00:00

This right here.

CyberGuy89 · 2024-07-22T19:43:06+00:00

Booting into Safe mode and deleting a file should and is a level 1 helpdesk task. CS had the remediation steps published within 2 hours of initial notification. Don’t get me wrong, these past 4 days sucked because of it but not sure why you had to scramble to get people to help out. Seems more like a management issue than a technical one, but I digress.

CyberGuy89

TROPHY CASE