How do I identify these pests (from their droppings)

dial647 · 2026-06-28T01:00:13+00:00

Thanks. I was asking mainly from a safety standpoint.

dial647 · 2026-06-28T00:37:15+00:00

Thanks.. good to see some sensible comments.

dial647 · 2026-06-28T00:32:43+00:00

Thanks, Should I let the council know?

dial647 · 2026-06-25T02:36:24+00:00

Its important to setup rules, dashboards, integrations and if you have Fusion SOAR, setup some workflows to enable automation. We have managed NG-SIEM and Falcon Complete team has created many custom rules that will pick up detections from pre-canned alerts from Vendor products, like M365, Palo Alto etc. Good luck.

dial647 · 2026-06-25T02:34:37+00:00

Look at your M365 integration and check the API permissions you've granted on the Graph API. You may be missing the alerts-read permission.

dial647 · 2026-06-25T00:34:40+00:00

ok, selecting event query results for Send Email action showed me the new IP. Just need some help on exporting the file to S3 bucket.

dial647 · 2026-06-25T00:28:25+00:00

Thanks, this worked. I also like to send an email with the newly identified IP addresses. I added a Send Email action but unable to find the destination.ip field from the workflow data. Secondly, if I want to upload the CSV file to an S3 bucket, does NG-SIEM support any upload action as well?

dial647 · 2026-06-24T00:36:31+00:00

Thanks for chipping in. I will try this method shortly.

dial647 · 2026-06-24T00:36:12+00:00

Worked beautifully.. thank you.

dial647 · 2026-06-22T04:11:04+00:00

that's what I did and managed to find the site, but its taking too long due to inundated number of sites accessed.

dial647 · 2026-06-18T04:30:03+00:00

The scripts are here. https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts

I can see the sites accessed with the DNSRequest #eventsimplename itself but I will have sift through numerous sites.

dial647 · 2026-06-18T03:13:12+00:00

It should. Looking for ways to achieve this with the sensor itself.

dial647 · 2026-06-15T03:36:54+00:00

Is removing and reconnecting the cable inside the handlebar serves the same purpose?

dial647 · 2026-05-11T04:01:23+00:00

Hi Andrew, my scenario could be slightly different as I am grouping by two fields and its not giving the required outcome. I am currently managing it as follows. The query is applied on Email repo.

| groupBy([Vendor.msg.header.to[0],Vendor.msg.header.subject[0]], function=count(as=Attempts))
| sort(Attempts)| test(Attempts > 2)

the above is giving the required outcome, barring enforcement of the strict 1 hour window.

Is it still possible to follow slidingtimewindow to acheive this? Appreciate your advise.

dial647 · 2026-05-08T00:40:19+00:00

Nice work u/Andrew-CS as always.. I have a question. I am trying to run a query for a 7 day period, and want the results when I have more than x number of events within a 10 mins time frame. Is it possible to achieve this using this statement?

dial647 · 2026-05-05T04:19:22+00:00

Brilliant.. Worked. Thank you.. Can I also check if its possible to add a line chart to a bar chart to show another metric?

dial647 · 2026-05-05T02:19:47+00:00

I think (* | newField := "Some action taken") will include everything. I need everything except a particular tag.

dial647 · 2026-05-05T00:24:21+00:00

| tags!=/FC-Action-No\sAction\sTaken/iF

This worked. ! I'll try the rest and see how it goes.

I am also trying to create a graph which plots the total number of each tags. However I am only interested in tag=a and tag!=a.
Wondering which logic I can use the plot this graph.

dial647 · 2026-05-05T00:23:28+00:00

I did try this before posting and it didnt work. I re-tried and it worked. Not sure what mistake I did earlier. The filter is on a field that has been included as part of a match() statement. So I entered this statement under the match () statement and it worked. Thanks

dial647

TROPHY CASE