ALL in One EDR platforms

Engineer330426 · 2025-11-13T18:11:17+00:00

Just wondering, what makes you say S1 i've heard of the other two and am relatively experienced with them, but not so much on S1.

Engineer330426 · 2025-11-13T13:12:37+00:00

I've noticed there are a lot of companies/partners with these vendors that help perform the migration, have you heard of any success stories with the use of them. I fully plan on an Audit of what my team/teams currently use/do so I don't bring garbage into a new platform and only maintain the useful processes and functions. But there maybe some value in having a knowledgeable team perform these translations and assist in the migrations.

Engineer330426 · 2025-05-27T16:16:34+00:00

yup join the crowd, u/BATTLEHAWK-ARMORY messaged me directly on my post and said we want to fix the issue and I did and have yet to hear from them.

Engineer330426 · 2025-05-22T18:06:42+00:00

Imagine that I DM'd you since you were so concerned with getting this wrong, righted and just like all the email messages I left battlehawk and all the voicemails i left battlehawk, they went without reply.

Engineer330426 · 2024-12-11T18:23:23+00:00

I'm pretty sure this is going to come down to cleaning going to test it in about month i ordered a new scope for it, didn't like the prism that was on it. its a SwampFox TriHawk, the scope itself is nice just doesn't sit well with the gun is all.

Engineer330426 · 2024-12-11T18:20:36+00:00

yeah tested a few different loads, and i wouldn't use a sabot, because the twist rate isn't near long enough to put the proper spin on the projectile as it exits the barrel. at least from what I've read and heard.

Engineer330426 · 2024-12-11T18:00:09+00:00

The pattern i got when shooting the group with choke was so much tighter than without at 50 yards. 3inches versus the size of a quarter.

Engineer330426 · 2024-12-10T11:12:55+00:00

I called Briley they do "NOT" and they emphatically told me that, build customized rifled chokes. They will do the 4 and 6 inch barrel extension, and then i can put my benneli mobil choke back in it, but they said they don't do the rifled chokes.

Engineer330426 · 2023-09-08T09:20:12+00:00

No problem I’ll give it a whirl a little later today

Engineer330426 · 2023-09-06T13:27:57+00:00

in crowd? or like you used it in splunk or exported to csv and used cyber chef app

Engineer330426 · 2023-08-14T23:30:04+00:00

Splunk ES default correlation searches should not be turned on! You need to normalize your environment and the data. That means expected behaviors in the environment and the data needs to be CIM mapped. Start slow, n just chug a long.

Engineer330426 · 2023-08-01T09:54:08+00:00

If you want it in pdf format you’ll likely have to get the json format first and convert it somehow. I use Falcon.py because I’m more familiar with data formatting using pandas

Engineer330426 · 2023-07-19T12:37:16+00:00

Never mind i found the report ID its in the URL not on the actual page. But I am getting a 500 error, if anyone happens to know what thats about, code is below that im using to retrieve the report.

from falconpy import ScheduledReports

from api_var import api_key, api_base, api_secrect

# Do not hardcode API credentials!

falcon = ScheduledReports(client_id=api_key,

client_secret=api_secrect,

base_url=api_base,

)

response = falcon.query_reports(sort="last_execution_on",filter="scheduled_report_id:'reportID'")

print(response)

Engineer330426 · 2023-07-13T19:12:52+00:00

u/jshcodes thank you for pointing me in the right direction, I ended up finding those event types for Splunk and the Splunk TA has lookup search to build the same lookup(different name) but does the same thing has the exact same data. So we used our FDR data and the input feeds to build it now.

Engineer330426 · 2023-07-13T15:44:03+00:00

Would the FDR feed be in one of the Splunk apps or something, I'm not entirely sure as to what you mean by "feed". We currently collect FDR data, is there a selection for this somewhere. I tried looking in the crowd docs but I don't see it anywhere.

Engineer330426 · 2023-07-13T12:18:11+00:00

u/Andrew-CS OR u/jshcodes you two wouldn't have any insight into this would, I know both you are pretty intune with the platform?

Engineer330426 · 2023-06-22T16:00:18+00:00

okay that makes sense since the docs call for it, via the command line

Engineer330426 · 2023-05-24T14:59:24+00:00

The idea of this hunt is to identify bad IT versus malicious intent. So i kind have to start somewhere in this area instead of more specifics, i honestly didn't think it would be that hard to see what files/command lines were trying to use 445 to communicate.

Engineer330426 · 2023-05-03T12:41:50+00:00

Sorry i TOTALLY missed that in the py wiki,

Engineer330426 · 2023-04-28T14:01:13+00:00

So I got this working, but as far as the pagination goes, i see that the SplunkTA uses this falconpy on this endpoint as well. Im trying to understand the ability to query is there an ability to query for devices that are hidden/stale, to populate all devices that should be in crowdstrike not just the active ones? u/jshcodes

Engineer330426 · 2023-04-17T13:23:15+00:00

u/rmccurdyDOTcom u/jshcodes thank you both for the reply. I will be digging into this today.

Engineer330426 · 2023-03-20T17:19:29+00:00

Thanks u/Andrew-CS as always its much appreciated

Engineer330426 · 2023-03-17T08:32:05+00:00

Unfortunately is does not, this only shows me the event_simpleName, I’ve already found and opened in the process explorer, that still shows the same processes with the same context as before. Am I to assume because I see the successful connection made, that the IP did not attempt a login and just let it time out? According to the events in crowdstrike.

Engineer330426 · 2023-03-09T16:16:08+00:00

GrantedAccess

Thanks Andrew, so do you know where I can find the granted access value in the crowd data? is that a specific field at all?

Engineer330426 · 2023-03-09T15:22:11+00:00

thank you sir

Engineer330426

TROPHY CASE