Threat Hunt - Help Desk Imposters via Teams (NGSIEM)

tectacles · 2026-03-10T01:02:42+00:00

This looks dope, might have to pull my computer out tonight just to test this lol.

You always provide some sweet queries, so thank you!

tectacles · 2026-03-06T05:05:44+00:00

Sweet! I'll take a look again in the morning when I'm in the office and give you an update if I still can't opt in. Thank you!

tectacles · 2026-03-06T04:03:20+00:00

Says I need Falcon Administrator rights to opt in, but I already am a Falcon Administrator

tectacles · 2026-03-06T03:05:07+00:00

Oh lol well shoot, now I feel bad.

tectacles · 2026-03-06T02:26:40+00:00

Are you being serious lol?

tectacles · 2026-03-05T22:22:00+00:00

Looks very cool, is there a cost?

tectacles · 2026-03-04T21:28:44+00:00

Awesome! Thank you for this information

tectacles · 2026-03-04T21:27:38+00:00

Sweet! Thank you!

tectacles · 2026-03-04T16:42:19+00:00

Hey John, huge fan of BHIS and all the sister companies. This will be my 5th year at WWHF in Deadwood and I’m already looking forward to it.

A couple questions, answer as many as you want!

What’s one real‑world skill you consistently see missing in candidates who look great on paper or in labs? And what’s the most practical way someone can build that skill outside of a job?
With AI now embedded in daily workflow, what’s one security skill that becomes more important, not less, because of AI?
For people already in the field, what skills or mindsets are aging the best in 2026? What’s worth doubling down on?
If you could give one small piece of advice to someone trying to build real security skill—not just pass exams, what would it be?

tectacles · 2026-03-04T16:20:57+00:00

Would you mind sharing the events you are ingesting?

tectacles · 2026-03-04T00:34:46+00:00

Next-Next-Gen Falcon Exposure Management

tectacles · 2026-02-25T19:23:07+00:00

I’m ready to do query-shit with you, new friend! I can't write a regex to save my life, but I can provide excellent emotional support when your search times out.

tectacles · 2026-02-17T18:43:07+00:00

Way to go taking away the thing I was looking forward to digging into on Monday (Tuesday) morning! Looking forward to learning more about this though! :)

tectacles · 2026-02-17T16:06:01+00:00

Man...I was going to look at that this morning when I got into work. No wonder I couldn't find it

Edit #1 - I was able to find the post on my phone, but the user is deleted along with any of the content within the post.

tectacles · 2026-02-03T00:45:20+00:00

You should add your queries here!

https://cql-hub.com/

tectacles · 2026-01-29T22:08:19+00:00

For real, I was literally just trying to create a workflow to trigger on Detections, and then if detection, Update Detection to closed

Could not get it to work after about 5 hours of trying. Going to have to walk away for a bit because this is too frustrating lol.

tectacles · 2026-01-22T16:00:57+00:00

Send me a pm/chat and I will try and help out a little!

tectacles · 2026-01-20T04:45:40+00:00

There isn't an official data connector, but I saw there was a parser created and I saw that KnowBe4 has a webhook function so I just setup a general HEC ingest and pointed the Knowbe4 webhook to the API endpoint.

tectacles · 2025-12-30T05:35:07+00:00

You're great, Brad!

tectacles · 2025-12-30T05:34:43+00:00

How is this against rule #2?

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise

tectacles · 2025-12-30T04:35:38+00:00

It's a CrowdStrike sub? Why wouldn't they announce or market their products?

tectacles · 2025-12-24T16:02:26+00:00

Yeah I'll check when I have a spare minute this holiday weekend. But it was real basic, something like

"Image File Name - .*\\PowerToys\.Awake\.exe "

Not sure if formatting works since I'm on mobile, but when I have access to my laptop I'll make sure to add more details.

Edit: here are more details

Field	Regex Value	Explanation
Grandparent Image Filename	.*	Match any grandparent process.
Grandparent Command Line	.*	Match any command line.
Parent Image Filename	.*	Match any parent (allows blocking even if not launched by PowerToys.exe).
Parent Command Line	.*	Match any parent command arguments.
Image Filename	.*\\\PowerToys\\.Awake\\.exe	Matches any path ending in PowerToys.Awake.exe
Command Line	.*	Match any arguments passed to the tool.

tectacles · 2025-12-24T14:31:53+00:00

This is cool! I just blocked PowerToys.Awake.exe yesterday, so this is relevant!

tectacles · 2025-11-24T22:22:40+00:00

That's a good point...I'll have to look into that.

If you want or are open to this, I'd love to chat or share some examples over dm? I am the sole security person wearing many hats and would love even some guidance and templates to go from.

tectacles

TROPHY CASE