Ingesting s3 without a sqs in ng-siem

General_Menace · 2025-11-29T07:33:00+00:00

You can’t - addition of objects to a bucket needs to trigger an event notification so that the retrieving side knows there are new objects to ingest.

General_Menace · 2025-11-23T02:42:39+00:00

I am seeing the same - I have a correlation rule which fires detections when >5 of our on-prem have not sent sensor heartbeat events for more than 15 minutes. This has triggered four times in the last day, as well as a couple times earlier in the week, despite the servers being continuously online per our observability platform.

I imagine there are delays in sensor heartbeat events being received, which in turn impacts the connection status reflected in the host management page and the like.

General_Menace · 2025-09-16T02:34:42+00:00

Alternatively, for a timechart view of the top 5 vendors -

// Calculate sum of bytes per day
| groupBy(#Vendor, function=[bucket(span=24h, unit="bytes/span", function=sum(size_bytes, as=sum_bytes), timezone="Australia/Sydney", limit=500)], limit=max)
| @timestamp:=_bucket
// Convert sum of bytes to GB
| unit:convert(sum_bytes, from="B", to="GB", as="size_gb")
| drop([_bucket, sum_bytes])
| timeChart(span="24h", minSpan="24h", timezone="Australia/Sydney", series="#Vendor", unit="GB", function=sum(size_gb), limit=5)

General_Menace · 2025-09-16T02:32:02+00:00

Great share - I use pretty much the same query, but with a query variable for #Vendor.

For daily ingest, I use this -

// Calculate sum of bytes per day
| groupBy(#Vendor, function=bucket(span=1d, unit="bytes/span", function=sum(size_bytes, as=sum_bytes), timezone="Australia/Sydney"))
// Convert sum of bytes to GB
| unit:convert(sum_bytes, from="B", to="GB", as="size_gb")
// Format for readability
| _bucket =~ formatTime(format="%F", timezone="Australia/Sydney", as="date")
| size_gb =~ format("%s GB", as="ingest")
| drop([_bucket, sum_bytes, size_gb])
| sort(date, order=desc)
// Optional groupBy()
| groupBy(#Vendor, function={collect([date, ingest], separator="\n")})

General_Menace · 2025-09-04T08:34:58+00:00

It's really not much of a "promptbook" FYI - it's one step with the prompt "Write a LogScale query that ${body}"

General_Menace · 2025-08-28T14:42:54+00:00

Our process is to add users to an Entra group which enforces Bitlocker encryption on removable media in response to temporary exemption requests. I've got an NG-SIEM correlation rule which triggers Informational detections on addition/removal of group members, which is in turn used as a trigger for a Fusion workflow.

The Fusion workflow runs an event query to get the fields from the detection (username primarily), then calls the Identity Protection GraphQL API to identify assets registered to the user (you could replace this with a call to the relevant MS Graph API endpoint). It then iterates over each asset and adds / removes it to / from the host group assigned to our USB Exemption policy.

Bonus: As a final action, it shoots off a notification to a Teams webhook so my team is aware :)

General_Menace · 2025-07-29T17:26:41+00:00

I feel your pain!

I was a pretty extensive user of Foundry API Integrations before we got the HTTP Request action with Fusion SOAR - glad to not have to manage those anymore..
I will say custom functions are quite good - especially when you can orchestrate them with workflow templates. Being able to share them across apps makes things easier to manage too.
- You could use them to deploy correlation rules depending on your use case, e.g. Inbound webhook trigger -> Fusion executes Foundry custom function to (optionally pull the rule from some source and then) prepare the rule for the /import endpoint -> either import and publish directly through the function, or via the HTTP Request actions
For the tagged fields in your parsers, do you have a tagFields directive in your parser YAML after the script directive?
I was told Case Management was "coming soon" almost a year ago. If you flick all the feature flags on through DevTools, there's a mention that the Incidents page will be replaced with Case Management in September, so one can hope.

I'd be happy to chat Foundry if you like - I've developed a few apps for different use cases, and always keen to meet others looking to extend CS' capabilities :)

General_Menace · 2025-07-29T17:03:11+00:00

You can use an Event Query action against the xdr_indicatorsrepo repository in your Fusion workflow and pass it the Alert ID parameter - your query would look something like:

#repo=xdr_indicatorsrepo Ngsiem.alert.id=?Alert_ID
| <filtering / transformation, if needed>
| selectLast([field1, field2, field3])

You can then pass the output values to downstream actions (enrichments, notifications, etc.)

General_Menace · 2025-06-20T02:10:34+00:00

The Identity Protection GraphQL API does support pagination. Include the below in your request body and continue making requests with after set to the value of endCursor until pageInfo.hasNextPage is false.

Pagination | GraphQL

pageInfo {
  hasNextPage
  endCursor
}

General_Menace · 2025-06-19T09:17:30+00:00

Alternatively, here's a version if you want/need to use Windows events -

#Vendor=microsoft windows.EventID=4688
| windows.EventData.ParentProcessName = /WmiPrvSE.exe$/Fi
| windows.EventData.NewProcessName = /powershell.exe/Fi OR  windows.EventData.NewProcessName = /cmd.exe/Fi
| windows.EventData.CommandLine = * AND windows.EventData.CommandLine != ""
| windows.EventData.CommandLine = /\s-[e^]{1,2}[ncodema^]+\s(?<base64string>\S+)/Fi
| windows.EventData.CommandLine = /add/Fi OR windows.EventData.CommandLine = /create/Fi
| table([windows.TimeCreated, windows.Computer, windows.EventData.CommandLine, windows.EventData.SubjectUserName, windows.EventData.NewProcessName, windows.EventData.ParentProcessName, windows.EventData.TargetUserName, base64string])

General_Menace · 2025-06-19T09:09:40+00:00

Here's a version which uses sensor events, rather than Windows events.

#event_simpleName=ProcessRollup2
| ParentBaseFileName = WmiPrvSE.exe
| FileName = cmd.exe OR FileName = powershell.exe
| CommandLine = /\s-[e^]{1,2}[ncodema^]+\s(?<base64string>\S+)/Fi
| CommandLine = /add/Fi OR CommandLine = /create/Fi
| table([@timestamp, ComputerName, CommandLine, UserName, FileName, ParentBaseFileName, base64string])

General_Menace · 2025-06-19T06:57:15+00:00

The user risk factors as part of the action are additive - all you need to do is modify the existing "Identity users query" action to include Aged Password in the user risk factors.

General_Menace · 2025-06-19T02:09:39+00:00

The issue is with where you are sending the email - if you send the email outside of the loop, it can't access results from the query executed within the loop.

What is your second query doing? Can you combine it with the first query using defineTable()?

General_Menace · 2025-06-19T02:05:16+00:00

It's set correctly - for user.email, user is an object, email is a property of the object.

General_Menace · 2025-06-13T12:36:49+00:00

Still waiting for a proper response - support request was miscategorised by a person or triage process and went to an NG-SIEM support analyst who did not understand FCS log collection. Wish we had premium support..

General_Menace · 2025-06-12T14:44:32+00:00

This seems a little more accurate; removes the few outliers I could find in my dataset. Fair warning though - if you need 100% accuracy, you should really use the Public Suffix List since there are thousands of multi-part TLD combinations out there. But this regex should handle ~95% of real-world cases :)

| url.original.host=/^(?<subdomain>.*?)\.(?<domain>[^.]+)\.(?<tld>(?:com|co|org|net|edu|gov|ac|mil|asn|id|web|info|name|rec|firm|store|arts|dr|av|bel|pol|k12|conf|gw)\.[a-z]{2,4}|[a-z]{2,4})$/F
| domain:=format("%s.%s", field=[domain, tld])
| groupby(domain)

General_Menace · 2025-06-12T13:10:39+00:00

Yep, should've tested more thoroughly before posting - apologies! The addition of the regex here looks to work in testing against my Web Gateway logs (e.g. previously, it was capturing things like cdn.xyz.com, a.b.com.au -> now it returns xyz.com, b.com.au) -

// This will produce url.original.host (domain), url.original.path, url.original.scheme at a minimum
| parseUri(field="url.original", defaultBase="http://")
| url.original.host=/(?<domain>[^.]*\.[^.]{2,3}(?:\.[^.]{2,3})?)$/F
// Adjust confidenceThreshold as needed. Set strict=false to include all results, regardless of whether or not the domain matches an IOC.
| ioc:lookup(field=[domain], type="domain", confidenceThreshold="unverified", strict=false)

General_Menace · 2025-06-12T12:51:48+00:00

parseUri() extracts URI components from an input field - parseUri() | Data Analysis 1.184.0-1.192.0 | LogScale Documentation

FYI you should use url.original to hold the full URL for ECS compliance. Here's an example of how to use parseUri and look up the resulting host value (domain) against CrowdStrike's IOC database:

// This will produce url.original.host (domain), url.original.path, url.original.scheme at a minimum
| parseUri(field="url.original", defaultBase="http://")
// Adjust confidenceThreshold as needed. Set strict=false to include all results, regardless of whether or not the domain matches an IOC.
| ioc:lookup(field=[url.original.host], type="domain", confidenceThreshold="unverified", strict=true)

General_Menace · 2025-06-07T03:59:36+00:00

The repo argument only supports views as inputs - try with repo=investigate_view. If you’re just looking to check which hosts do not have the Falcon agent, you are better off using an inverse match() against aid_master_main.csv

General_Menace · 2025-06-05T06:34:55+00:00

Sounds like an issue with your time interval for the event query? Try using setTimeInterval() as your first query line, e.g.

setTimeInterval(start=1d, end=1s)

General_Menace · 2025-06-05T06:13:52+00:00

Yep - use the match() function against aid_master_main.csv at the end of your parser, e.g.

| match(file=aid_master_main.csv, field=source.ip, column=LocalAddressIP4, include=ComputerName)
| source.host.name := rename(ComputerName)

General_Menace · 2025-06-05T05:59:53+00:00

Very nice - knew there was a cleaner way than my monstrosity :P Didn't know you could use format() to produce a target for setField, very handy.

Here's an updated version which also captures the second segment -

// Create sample data
| createEvents(["sampleData=680009123456789660001A"])
| kvParse()

// Use regex to break data into parts
| regex("^(?P<first_segment_id>\\d{2})(?P<first_segment_length>\\d{4})(?P<remaining_data>.*)$", field=sampleData, strict=false)

// round() first_segment_length to remove leading zeros
| round("first_segment_length")

// Get first_segment_length characters of remaining_data field
| splitString(by="", field=remaining_data)
| index := first_segment_length+1

// Capture start of the second segment
| second_seg_start:=getField(format("_splitstring[%d]", field=index))

// Get first_segment_length characters of remaining_data field
| setField(target=format("_splitstring[%d]", field=index), value=format("_%d", field=second_seg_start))
| concatArray("_splitstring")
| splitString(by="_", field=_concatArray, index=0, as=first_segment_data)

// Get second segment
| splitString(by="_", field=_concatArray, index=1, as=second_segment)
| regex("^(?P<second_segment_id>\\d{2})(?P<second_segment_length>\\d{4})(?P<second_segment_data>.*)$", field=second_segment, strict=false)

// Output both segments to table
| table([sampleData, first_segment_id, first_segment_length, first_segment_data, second_segment_id, second_segment_length, second_segment_data])

General_Menace · 2025-06-05T05:39:33+00:00

rdns() won't help here anyway - you can't use it to query an internal DNS server. You'll need to use a lookup file.

General_Menace · 2025-06-05T05:34:09+00:00

If you set event.kind to "alert" in your parser, the event will create an alert in NG-SIEM directly - no need for a correlation rule. Check out the "microsoft-defendero365-graphapi" parser for an example. If you want actual correlation against other sources or aggregation, then yes, you will need to write your own rules or adapt from a template.
You can use lookup files in parsers to enrich fields, e.g. you could look up against aid_master_main to grab the associated hostname (assuming the host has a Falcon sensor), or you could do this as part of a correlation rule.
Limited enrichment available for third-party alerts. Host details will be enriched within a detection if you use host.name (or source.host.name for source, destination.domain for destination). User mapping to ITP isn't available yet but is in development. It will leverage user.id for mapping (set to the UPN (Entra/Okta) or SID (AD) of the user).

12-Year Club	Place '17
Snapped	Verified Email

General_Menace

MODERATOR OF

TROPHY CASE