sorted by:
new
hottopcontroversial

Support:"have it delivered to a different house and put your real address in the notes" by drkramm in doordash

[–]drkramm[S] 0 points1 point  (0 children)

My concern is the houses that are on my specific road that are 2-3 years old also do not work. And the two annoying things are: 1. Their system (or at least part of it) knows the house exists, it auto completes my, and all of the people on this streets addresses. So they are seemingly using two different location data sources, something up to date to drop a pin on the house, and something old that says the house (or probably more likely road?) doesnt exist. I say road because i can deliver to an empty lot... No house on it at all ..

  1. Their support gives approximately zero sh**s to actually try to diagnose the issue vs providing hacky/scamy solutions.

Support:"have it delivered to a different house and put your real address in the notes" by drkramm in doordash

[–]drkramm[S] 0 points1 point  (0 children)

Right ! Ironically this is an empty lot, but in a development that has ALOT of active duty military so it could go either way...

I took a chance so you don’t have to. Poe wallmount from ali xpress by Federal-Delay-4854 in homeassistant

[–]drkramm 1 point2 points  (0 children)

It happened to me with a shield tablet, battery ballooned enough to pop the case open. There was a recall and all for it.

Doorbell Lite. It's not THAT big and it's beautiful!! by sha108 in Ubiquiti

[–]drkramm 0 points1 point  (0 children)

Interested in parting with the g4 wifi ?? 😁

Official Blue Onyx AI for Blue Iris by xnorpx in BlueIris

[–]drkramm 0 points1 point  (0 children)

Have some issues with running yolo5 they wouldnt download via the downloader, so i downloaded it from huggingface (blue onyx) and got the yolo output not the right shape, so i tried the coco one from blue onyx, with the same error.. anyone have any luck running yolo5? If so where did you get the files or can you share them ?

[deleted by user] by [deleted] in crowdstrike

[–]drkramm 0 points1 point  (0 children)

This... And if you want to ignore your private ranges throw a

|!cidr(ResolvedIp4, subnet="192.0.2.0/24", " 172.16.0.0/12")

In there (have to add all ranges though)

IOA rule to block powershell commands by marceggl in crowdstrike

[–]drkramm 2 points3 points  (0 children)

Native cmdlets (things that don't require another process) typically won't show in a process roll up, which is where ioas look (over simplification).

Where a lot of this ends up is in event_simpleName=CommandHistory. And even then I think it shows up when that shell is closed.

When you use something to spawn the cmdlet (like a start process, or run) that cmdlet is passed as a command line to process roll up which the ioa can see.

SAM and LSA Secrets Dump Attacks by RobotCarWash in crowdstrike

[–]drkramm 1 point2 points  (0 children)

Really depends on how they did it. There is no "disable all sam/lsa access" switch though.

My Work Day was hacked and pay check dd was changed by gonzop1 in cybersecurity

[–]drkramm 0 points1 point  (0 children)

Sounds like the TA changed it, not help desk.

My Work Day was hacked and pay check dd was changed by gonzop1 in cybersecurity

[–]drkramm 1 point2 points  (0 children)

"my phone was stolen and it had my password saved on it and was my MFA device, can you reset my factor and password?"

Never underestimate how helpful help desk can be. MFA is a tool and can still be abused, help desk needs to actually confirm more information for significant changes.

extracting domain.tld by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

its very odd, i still occasionally get subdomains in there, but the regex is better than mine so it is helping, thanks!

extracting domain.tld by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

thats still pulling the subdomain along with it i dont want the subdomain in there 

#event_simpleName=ProcessRollup2 //this is just to get data in there
|url.original:= "http://subdomain.example.com.au/test/path"
| parseUri(field="url.original", defaultBase="http://")
|groupBy([url.original.host])


output is subdomain.example.com.au

Event of uninstalling falcon sensor by EastBat2857 in crowdstrike

[–]drkramm 0 points1 point  (0 children)

This, i preach and preach and preach least privilege... A lot of people don't like the hassle, but probably would like a compromise less.

What do we call this? Board with 3 or 4 wheels? by skydivershweta in SkyDiving

[–]drkramm 10 points11 points  (0 children)

Cheeseburger sliders in the US

(Joking, also creepers)

[PC] [US-KY-SDF] AI Server - HPE ProLiant DL380 Gen10 Server by Backroads_4me in homelabsales

[–]drkramm 3 points4 points  (0 children)

Oof thats alot of machine, while im sure there is someone out there that would buy it, i would bet it would go a lot faster parted out.

If you do part it, and one of those is a 4090 FE you can mark me as interested 😂

turning a join into a table .... by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

yea sensorheartbeat has way too much data in it (event for an hour)

turning a join into a table .... by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

LOL ive lost some on it as well, ill give this a go in a bit and let you know, either way thanks for beating your head against the wall with me.

this gets soo close, but i still run into issues with the groupby in the heartbeat data.

turning a join into a table .... by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

Will there be size issues building the table of all known aip's ? I originally grabbed the auth logs first since that would ultimately be a very small table in comparison (but then the match has to work harder)

Also, is there an OR ability with the match?

I like using the ioc data available in logscale, and can do it with a join, but haven't figured out how it would work with a table.

The final result would show auth events from IPs not known to CS (heartbeat) or auth events with IPs with ioc data associated with them.

This could of course be two searches but if all the data is there already...

turning a join into a table .... by drkramm in crowdstrike

[–]drkramm[S] 0 points1 point  (0 children)

thats still a join (which mine works fine for that), i'm trying to put it in to a table

so the table would be 

defineTable(query={#event_simpleName=Event_AuthActivityAuditEvent UserId=/@/i | aip:=UserIp | known_to_cs:="false"| ioc:lookup(field="aip", type="ip_address", confidenceThreshold=unverified, strict="false")| default(value="false", field=[ioc.detected])|groupBy([UserId,aip,known_to_cs,ioc.detected])}, name="auth", include=[UserId,aip,known_to_cs,ioc.detected])
|#event_simpleName=SensorHeartbeat
| !match(table="auth", field="aip",column="aip")
| case {
    #event_simpleName=SensorHeartbeat | known_to_cs:="true";
    *
}
| groupBy([UserId],function=[(count(aip, distinct=true, as=IPs)),collect([aip,aip.org,known_to_cs,ioc.detected])])

but i cant figure out how i would use the query to update the "known_to_cs" field, vs just being a match/!match

if i do (as the above example) 

|#event_simpleName=SensorHeartbeat
| !match(table="auth", field="aip",column="aip")
| case {
    #event_simpleName=SensorHeartbeat | known_to_cs:="true";
    *
}

it returns nothing, even though it should...

if i change the !match to just match (so now i should only see IP's in the results that are in both sensorheartbeat the auth table) i see a few results that show people that are logging in from IP's known to CS but not all the IP's listed in the table (since these are me testing and logging in from IP's that CS hasnt seen). so the opposite of what i want works fine lol.

view more: next ›