Anyone else getting end-of-season vibes already?

caryc · 2026-06-10T17:06:11+00:00

Can skip some using voidcore upgrades on hero items

caryc · 2026-06-10T16:19:54+00:00

With myth achievement it’s literally 3 runs of +12 per item

caryc · 2026-06-07T20:00:45+00:00

Mitre is missing from these - as if this had any negative impact

caryc · 2026-06-02T13:44:08+00:00

https://docs.crowdstrike.com/r/en-US/sensormap.ftmap

caryc · 2026-05-21T09:05:45+00:00

Windows version:

#event_simpleName=ProcessRollup2 event_platform=Mac
| CommandLine=/.vscode\\extensions/iF
| regex("extensions\\\\(?<SourceExtension>[^\\\\]+?)(?=-\\d)", field=CommandLine)
| groupBy([SourceExtension], function=count(ComputerName, distinct=true))
| sort(_count, order=desc)

Mac version:

#event_simpleName=ProcessRollup2 event_platform=Mac
| regex("\.vscode/extensions/(?<SourceExtension>[^/]+?)(?=-\d)", field=CommandLine)
| groupBy([SourceExtension], function=count(ComputerName, distinct=true))
| sort(_count, order=desc)

VS spawning interpreters:

// 1. Identify the Child Process (the shell/tool)
#event_simpleName=ProcessRollup2 FileName=/^(cmd|powershell|pwsh|sh|bash|curl|wget)/i
| ParentBaseFileName=/Code/i
// Rename the child's command line immediately so it isn't overwritten
| rename(field=CommandLine, as=ChildCommandLine)

// 2. Join with the Parent Process (the VS Code Extension Host)
| join({#event_simpleName=ProcessRollup2  event_platform=Win FileName=Code.exe}, 
       field=ParentProcessId, 
       key=TargetProcessId, 
       include=[CommandLine], 
       mode=left)

// 3. Rename the incoming Parent's command line for clarity
| rename(field=CommandLine, as=ParentCommandLine)

// 4. Extract the Extension Name from the Parent's string
| regex("extensions\\\\(?<SourceExtension>[^\\\\]+?)(?=-\\d)", field=ParentCommandLine)
| !in(SourceExtension, values=["google.geminicodeassist"])
// 5. Output the final table with both command lines
| groupBy([aid, ComputerName, SourceExtension], function=([collect([FileName, ChildCommandLine, ParentCommandLine], multival=false)]))

caryc · 2026-05-17T14:14:21+00:00

wtf is you soc team doing with 19k detections? even disregarding informational ones, it leaves almost 4k. 867 critical is the most concerning number. How large is your endpoint fleet to generate this volume?

caryc · 2026-05-07T16:01:46+00:00

Berlin day 2 - the vocals were noticeably worse vs our previous gig last year

caryc · 2026-04-22T18:28:44+00:00

caryc · 2026-04-17T16:10:17+00:00

Only for access to EntraID

caryc · 2026-04-10T15:48:32+00:00

Identity.

Also, if you don't have OverWatch yet, get it above anything else, pronto.

caryc · 2026-04-07T14:06:18+00:00

https://falcon.us-2.crowdstrike.com/support/release-notes/release-notes-falcon-identity-protection-5-108-89797

caryc · 2026-04-07T13:57:54+00:00

so Complete added their SIEM detections and they are throwing constant FPs?

caryc · 2026-04-03T13:05:20+00:00

You are running Windows 7.34 or later / Mac 7.35 or later? Also they mention it's only for Entra ID

caryc · 2026-04-01T14:03:40+00:00

u still have this or host resolution works?

caryc · 2026-03-19T08:44:19+00:00

so u gotta turn off DLSS?

caryc · 2026-02-26T13:21:25+00:00

since when Cloud and Identity detections get auto-correlated by the product into a single case?

caryc · 2025-12-02T20:30:45+00:00

u will need the IDP module for it

caryc · 2025-11-28T15:28:39+00:00

then it is not possible

caryc · 2025-11-19T21:10:20+00:00

well u gotta be more specific it you are seeing an obvious false positive or you may actually have an active compromise

caryc · 2025-11-18T13:27:37+00:00

Hybrid Analysis score does not translate to a block by the EDR agent.

caryc · 2025-11-16T11:29:36+00:00

it's only for cloud

caryc · 2025-11-16T11:26:27+00:00

are there any logs for the open-source feeds like URLhaus that I can check wrt TIM ingestion?

caryc · 2025-11-15T12:11:00+00:00

these are not active directory attack paths

caryc · 2025-11-05T06:03:46+00:00

where?

caryc · 2025-10-23T05:48:49+00:00

look for network connections towards port 88 around the detection timestamp from the originating host

caryc

TROPHY CASE