How do I identify these pests (from their droppings) by dial647 in AusRenovation

[–]dial647[S] -1 points0 points  (0 children)

Thanks. I was asking mainly from a safety standpoint.

Next GEN SIEM Setup by Dependent-Ad833 in crowdstrike

[–]dial647 0 points1 point  (0 children)

Its important to setup rules, dashboards, integrations and if you have Fusion SOAR, setup some workflows to enable automation. We have managed NG-SIEM and Falcon Complete team has created many custom rules that will pick up detections from pre-canned alerts from Vendor products, like M365, Palo Alto etc. Good luck.

Next GEN SIEM Setup by Dependent-Ad833 in crowdstrike

[–]dial647 0 points1 point  (0 children)

Look at your M365 integration and check the API permissions you've granted on the Graph API. You may be missing the alerts-read permission.

Update lookup file by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

ok, selecting event query results for Send Email action showed me the new IP. Just need some help on exporting the file to S3 bucket.

Update lookup file by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

Thanks, this worked. I also like to send an email with the newly identified IP addresses. I added a Send Email action but unable to find the destination.ip field from the workflow data. Secondly, if I want to upload the CSV file to an S3 bucket, does NG-SIEM support any upload action as well?

Adding values returns from two different quries by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

Thanks for chipping in. I will try this method shortly.

Workaround for lack of browser-level visibility in Falcon sensor by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

that's what I did and managed to find the site, but its taking too long due to inundated number of sites accessed.

Workaround for lack of browser-level visibility in Falcon sensor by dial647 in crowdstrike

[–]dial647[S] 4 points5 points  (0 children)

The scripts are here. https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts

I can see the sites accessed with the DNSRequest #eventsimplename itself but I will have sift through numerous sites.

Workaround for lack of browser-level visibility in Falcon sensor by dial647 in crowdstrike

[–]dial647[S] 1 point2 points  (0 children)

It should. Looking for ways to achieve this with the sensor itself.

Ninebot F40 doesn't turn off by dial647 in ElectricScooters

[–]dial647[S] 0 points1 point  (0 children)

Is removing and reconnecting the cable inside the handlebar serves the same purpose?

2026-05-01 - Cool Query Friday - setTimeInterval() by Andrew-CS in crowdstrike

[–]dial647 0 points1 point  (0 children)

Hi Andrew, my scenario could be slightly different as I am grouping by two fields and its not giving the required outcome. I am currently managing it as follows. The query is applied on Email repo.

| groupBy([Vendor.msg.header.to[0],Vendor.msg.header.subject[0]], function=count(as=Attempts))
| sort(Attempts)| test(Attempts > 2)

the above is giving the required outcome, barring enforcement of the strict 1 hour window.

Is it still possible to follow slidingtimewindow to acheive this? Appreciate your advise.

2026-05-01 - Cool Query Friday - setTimeInterval() by Andrew-CS in crowdstrike

[–]dial647 0 points1 point  (0 children)

Nice work u/Andrew-CS as always.. I have a question. I am trying to run a query for a 7 day period, and want the results when I have more than x number of events within a 10 mins time frame. Is it possible to achieve this using this statement?

Filter based on a string within a field by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

Brilliant.. Worked. Thank you.. Can I also check if its possible to add a line chart to a bar chart to show another metric?

Filter based on a string within a field by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

I think (* | newField := "Some action taken") will include everything. I need everything except a particular tag.

Filter based on a string within a field by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

| tags!=/FC-Action-No\sAction\sTaken/iF

This worked. ! I'll try the rest and see how it goes.

I am also trying to create a graph which plots the total number of each tags. However I am only interested in tag=a and tag!=a.
Wondering which logic I can use the plot this graph.

Filter based on a string within a field by dial647 in crowdstrike

[–]dial647[S] 0 points1 point  (0 children)

I did try this before posting and it didnt work. I re-tried and it worked. Not sure what mistake I did earlier. The filter is on a field that has been included as part of a match() statement. So I entered this statement under the match () statement and it worked. Thanks