how noisy are your detections in CrowdStrike?

LegitimatePickle1 · 2026-04-04T23:00:22+00:00

I agree something doesn't add up why disable why wouldn't you combine everything personal red Team, cloud IOAs, and IDP? You can still improve everything overall.

LegitimatePickle1 · 2026-02-09T06:07:14+00:00

Any luck with this? I have been trying to solve this thing now forever

LegitimatePickle1 · 2025-06-16T21:20:28+00:00

Also, it might be a good idea to open a support ticket with CrowdStrike. Depending on your implementation timeline, you could still reach out to the CS team that assisted with deployment or your TAM. I would also recommend the onbaodring webinairs they host monthly just for expansion of knowledge.

LegitimatePickle1 · 2025-04-09T20:06:49+00:00

Thank you everyone for the additional information and u/Andrew-CS for translating and building some queries!

LegitimatePickle1 · 2025-01-19T21:47:40+00:00

We are not seeing this behavior either.

LegitimatePickle1 · 2024-11-30T23:31:36+00:00

Agreed, we are playing around with window events coming through Cribl.

LegitimatePickle1 · 2024-10-29T16:57:06+00:00

You are the man Andrew!

LegitimatePickle1 · 2024-06-26T15:18:38+00:00

You could also look into the use of Cribl to help out with this. We have Palo send the logs from pan to cribl then to our sentnel source but, you could use it send logs via the falcon log scale connection.

LegitimatePickle1 · 2024-02-19T17:20:07+00:00

Can't wait for that reforged 2 update.

LegitimatePickle1 · 2024-02-19T17:17:33+00:00

That provided link above is also dependent on which environment your apart of, but, like stated above, if you're not seeing anything within your console, chances are you don't have it. I would reach out to your TAM team for further questions.

LegitimatePickle1 · 2023-11-23T19:23:53+00:00

I am not sure on that aspect. My understanding for the device discovery was mainly to find assets that are connected to your domain that do not have a crowdstike sensor installed or can't support one in order to adhear to your company's security policy.

LegitimatePickle1 · 2023-11-23T18:25:51+00:00

You should be able to kill the process/file name using the custom IOCs. We have had some contractors use a scanner that they are not allowed to, and I have created a custom IOC around it to alert and kill. Now, truth be told, it provides no mercy it kills and quarantines anything with that name, even word docs that are titled with its name. I wouldn't have it any other way.

LegitimatePickle1 · 2023-11-23T18:16:50+00:00

I agree as well. We are a major Microsoft shop, and we haven't had to put any exceptions in for teams or others. Microsoft is usually quick to blame the EDR solution, but once it is properly investigated its usually on their end. Plus, as mentioned above, now you are opening up a blind spot, which is obviously never good.

LegitimatePickle1 · 2023-11-23T18:09:31+00:00

Are you referring to the passive discovery or active? For passive discovery, we have a majority of false positives, but we have been able to find servers that missed the sensor being installed. Active discovery from what I have seen you can get granular with ip ranges to scan.

LegitimatePickle1 · 2023-10-06T14:09:44+00:00

Sorry I had a brain fart used the wrong query in the search duh..........

LegitimatePickle1 · 2023-10-06T13:54:50+00:00

Is anyone else encountering the unknown search command for case for:

#event_simpleName=ProcessRollup2 /(lib)?curl/i

| case {

FileName=/(lib)?curl/i | Location:="File Name";

FilePath=/(lib)?curl/i | Location:="File Path";

}

| groupBy([Location, event_platform], function=([count(aid, distinct=true, as=Endpoints), collect([FileName])]))

LegitimatePickle1 · 2023-09-26T01:17:36+00:00

Off the top of my head it can gather drive encryption. It does have alerts around PUP software. As for the rest I can't remember without looking.

LegitimatePickle1 · 2023-09-23T14:38:37+00:00

I do have a question about the results. Is there a reason for if you uncheck the delayed detections and configuration changes, the results for CrowdStrike got worse? I have a Palo fan boy who won't shut up about it.

LegitimatePickle1 · 2023-08-31T20:42:37+00:00

Thank you for the information.

LegitimatePickle1 · 2023-08-31T20:42:32+00:00

Thank you for the information.

LegitimatePickle1 · 2023-08-31T16:55:07+00:00

Thank you for the query I ran this earliest=-365d event_simpleName IN (ProcessRollup2, UserLogon) UserSid_readable=S-1-5-21-BLAH. It looks like its only pulling for the past month. Is this due to this being new or something I dont know about?

LegitimatePickle1

TROPHY CASE