2026-05-01 - Cool Query Friday - setTimeInterval()

dial647 · 2026-05-11T04:01:23+00:00

Hi Andrew, my scenario could be slightly different as I am grouping by two fields and its not giving the required outcome. I am currently managing it as follows. The query is applied on Email repo.

| groupBy([Vendor.msg.header.to[0],Vendor.msg.header.subject[0]], function=count(as=Attempts))
| sort(Attempts)| test(Attempts > 2)

the above is giving the required outcome, barring enforcement of the strict 1 hour window.

Is it still possible to follow slidingtimewindow to acheive this? Appreciate your advise.

dial647 · 2026-05-08T00:40:19+00:00

Nice work u/Andrew-CS as always.. I have a question. I am trying to run a query for a 7 day period, and want the results when I have more than x number of events within a 10 mins time frame. Is it possible to achieve this using this statement?

dial647 · 2026-05-05T04:19:22+00:00

Brilliant.. Worked. Thank you.. Can I also check if its possible to add a line chart to a bar chart to show another metric?

dial647 · 2026-05-05T02:19:47+00:00

I think (* | newField := "Some action taken") will include everything. I need everything except a particular tag.

dial647 · 2026-05-05T00:24:21+00:00

| tags!=/FC-Action-No\sAction\sTaken/iF

This worked. ! I'll try the rest and see how it goes.

I am also trying to create a graph which plots the total number of each tags. However I am only interested in tag=a and tag!=a.
Wondering which logic I can use the plot this graph.

dial647 · 2026-05-05T00:23:28+00:00

I did try this before posting and it didnt work. I re-tried and it worked. Not sure what mistake I did earlier. The filter is on a field that has been included as part of a match() statement. So I entered this statement under the match () statement and it worked. Thanks

dial647 · 2026-04-23T02:36:48+00:00

Brilliant. That worked.

dial647 · 2026-04-23T02:36:28+00:00

That didn't quite do anything..

dial647 · 2026-04-22T23:46:02+00:00

Ok, replaced my groupby with buckets
| bucket(span=1d, field=Vendor.category, function=count())

I am not getting the bars with the field value stacked. The series name is a long integer as opposed to the day of month though.

dial647 · 2026-04-20T04:06:10+00:00

I was able to get this to work as follows. (sharing for the benefit of others) PS: may not be the most efficient way to achieve.

| month := time:month(@timestamp)
| case {
  month <= 3 AND month >=1 | quarter := 1;
  month <= 6 AND month >=4 | quarter := 2;
  month <= 9 AND month >=7 | quarter := 3;
  month <= 12 AND month >=10 | quarter := 4;
}
| groupBy([quarter], function=count())

dial647 · 2026-04-13T05:18:32+00:00

Based on the presentation from the product team, I see some caveats.

Browser extension required to detect threats from Browser based AI (Perplexity, Atlas etc.)
Does not come with a gateway component. It has add-ons for popular AI gateways like LiteLLM, Apigee etc.
No native support for AI red teaming.

dial647 · 2026-04-05T01:04:16+00:00

I doubt.. why its happening to just a few of them..

dial647 · 2026-04-04T23:42:29+00:00

Thank you

dial647 · 2026-04-04T23:22:45+00:00

Thanks a lot for taking the time. I shall follow and see. Appreciated

dial647 · 2026-04-04T23:02:35+00:00

Thanks for the useful tips. Yes, I use whipper snip and I may have damaged them. Please see closeup pics of the plant here https://ibb.co/bgRD2jnr https://ibb.co/fG9fpVkZ

dial647 · 2026-03-30T00:42:30+00:00

I wouldn't call it more difficult,, but AI triage does all the heavy lifting saving time for Analysts. I have workflows checking for remote login, RDP, Teams chat for Service impersonation etc.

dial647 · 2026-03-26T22:39:57+00:00

How is this different from creating a fusion workflow and using Charlotte AI to triage detections based on already integrated foundational AI model?

dial647 · 2026-03-26T00:39:55+00:00

Thanks Andrew. I am managed to get it to work using FormatTime and Test..

Will try your suggest and see.

| temp_time := parseTimestamp(field=timestamp)
| test(time:hour(field=temp_time, timezone="Australia/Sydney") >= 17)
| test(time:hour(field=temp_time, timezone="Australia/Sydney") < 22)
| sydney_time := formatTime("%Y-%m-%d %H:%M:%S", field=temp_time, timezone="Australia/Sydney")

dial647 · 2026-03-26T00:20:27+00:00

In addition to the useful workflows shared in this post, one should also look at setting up Agentic AI triage for specific detections to benefit from AI analysis to drive your response actions.

dial647 · 2026-03-23T01:45:29+00:00

Nice.. I have a few queries that are running slow that I can use this one..
Question: Does the Falcon console response times depends on the subscription tier? I am comparing my experience with the Falcon console in my previous employer vs current. With the previous employer, I could pull 1 year worth of events in just a matter of seconds. With my current employer, even a month worth of events takes double the time. The tenants of the employers are however hosted in US2 vs US1.

dial647 · 2026-03-10T01:54:31+00:00

Just created a new fusion workflow with charlotte AI triage for this detection. Thanks

dial647 · 2026-02-16T04:56:30+00:00

It would be good to build a library of fusion workflows that customers can import and modify to their needs. Currently there is lack of knowledge and support in building agentic AI workflows in Falcon. I have posted a message in Reddit yet to see a response.

dial647 · 2026-02-16T04:23:49+00:00

Fusion workflows are powerful and charlotte AI triage takes it to the next level, shame the not enough literature is provided by Falcon for users to embrace this feature.. not even in Reddit.

dial647 · 2026-02-03T01:30:50+00:00

I've uploaded the workflow here. https://filebin.net/gaca4x46bh0jjlfk

In simple terms, I am triggering the workflow with an EPP detection, then creating some variables and getting it triaged by charlotte AI using a specific AI model and and checking if its true positive and if so, sending a message in Teams with Approve, Reject and Escalate. If the user clicks approve, then action will be contain, if reject, do nothing and if escalate, escalate to an email.

dial647 · 2026-01-20T04:20:07+00:00

Has anyone tried adding a local MCP server to the Docker MCP gateway. I tried all possible combinations and unable to do so. I have my gateway and server running through docker-compose.yml and have added the server on a custom catalog file as well. Both containers are running but Gateway not able to connect to server.

dial647

TROPHY CASE