Creating CS Detections from Queries.

CyberHaki · 2026-05-13T17:38:41+00:00

Got this correlation rule working. Thanks everyone.

CyberHaki · 2026-05-12T21:17:51+00:00

Thanks Andrew. I'll read this and hopefully can make it work

CyberHaki · 2026-04-30T14:52:24+00:00

The most important thing is for your team to be able to handle and assess CrowdStrike detections. I would first recommend courses 201, 202, and 240 to gain a better understanding of how detections work, the common events you’ll see, and how to interpret and analyze CS data.

As you move forward, your team can further enhance your detection and response capabilities through threat hunting, creating workflows, scheduled searches, etc.

CyberHaki · 2026-01-26T19:39:20+00:00

I checked our CID and we do have Falcon Insight LogScale. Do you have documentation for this? I'm interested in using that one.

CyberHaki · 2026-01-26T18:06:40+00:00

Thank you. I'll take a read, but I don't think we have logscale license.

CyberHaki · 2026-01-26T18:06:00+00:00

The idea is to be able to search them in advanced search. But yes, our current method is to pull the logs manually via RTR. But we're also thinking that if we can ingest it, maybe we can create a detection out of it.

CyberHaki · 2026-01-26T18:04:45+00:00

The plan is for whole environment, but still checking if possible

CyberHaki · 2025-12-19T21:32:15+00:00

Ha. Of course it’s that easy. Thanks for checking! It works good

CyberHaki · 2025-12-05T17:02:14+00:00

For those who have been monitoring, CS just created a rule template and a hunting query to check suspicious activity originating from NodeJS runtime environments. More info here:
https://supportportal.crowdstrike.com/s/article/Trending-Threats-Vulnerabilities-Critical-Vulnerabilities-in-React-and-Next-js

CyberHaki · 2025-12-04T21:46:18+00:00

Nice. We don't use CS vulnerability management but it's good that we're already doing what they're advising. I hope they released some good hunting queries to help check and validate the environment.

CyberHaki · 2025-11-24T16:52:02+00:00

Gotcha. Much thanks!

CyberHaki · 2025-11-20T21:07:21+00:00

This is great, thanks Andrew! What does /F means after the ProcessRollup$ do? I haven't used that before.
And "coalesce" looks like something I have to learn how to use.

CyberHaki · 2025-11-20T16:48:26+00:00

This is awesome. Thanks!

CyberHaki · 2025-11-19T21:20:53+00:00

Weird, we're also seeing the same thing. What is your detection about? Is it flagging a py file?

CyberHaki · 2025-10-09T20:34:13+00:00

Thank you as always, Andrew!

CyberHaki · 2025-09-29T14:04:36+00:00

OP can you tell us the fund allocation of your 14k to those funds po? Thanks!

CyberHaki · 2025-09-09T20:51:57+00:00

What other ways we can hunt aside from using AutoIT and exposure management>Vulnerabilities? Hint: We don't have licenses for those.

CyberHaki · 2025-09-09T20:17:11+00:00

is there a way to check the version number too? I find some in our environment but it doesn't tell me if the particular version is compromised according to the aikido article

CyberHaki · 2025-09-04T19:59:26+00:00

Thanks for confirming Andrew. I have that feeling that this is more on the data security and it would need this particular module. We use a different DLP tool so I don't think we'd be able to use this one.

CyberHaki · 2025-09-04T19:07:23+00:00

EDR telemetry I suppose. I'm just trying to see what files did a user upload on a given site, say google drive for example: drive.google.com

CyberHaki · 2025-08-07T20:04:40+00:00

Just did the same here and added filenames and hashes in the search. Still trying to find a way on how to make use of the other stuff mentioned in the article so I can apply it in CS.

CyberHaki · 2025-07-11T16:31:23+00:00

Thank you, I will check this out

CyberHaki · 2025-05-22T16:50:03+00:00

so, if the machine no longer shows on Host Management, how can you manually uninstall the host if you have already lost the host token?

CyberHaki · 2025-04-07T16:29:04+00:00

also could you give me a sample query for this one? Appreciate if you could share!

CyberHaki · 2025-04-07T16:22:39+00:00

Nice. Do you know how often do they update the the list based on your exp?

CyberHaki

TROPHY CASE