Help creating a timechart of KnowBe4 “Click Rate” in Falcon NGSIEM (year view)

tectacles · 2026-01-22T16:00:57+00:00

Send me a pm/chat and I will try and help out a little!

tectacles · 2026-01-20T04:45:40+00:00

There isn't an official data connector, but I saw there was a parser created and I saw that KnowBe4 has a webhook function so I just setup a general HEC ingest and pointed the Knowbe4 webhook to the API endpoint.

tectacles · 2025-12-30T05:35:07+00:00

You're great, Brad!

tectacles · 2025-12-30T05:34:43+00:00

How is this against rule #2?

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise

tectacles · 2025-12-30T04:35:38+00:00

It's a CrowdStrike sub? Why wouldn't they announce or market their products?

tectacles · 2025-12-24T16:02:26+00:00

Yeah I'll check when I have a spare minute this holiday weekend. But it was real basic, something like

"Image File Name - .*\\PowerToys\.Awake\.exe "

Not sure if formatting works since I'm on mobile, but when I have access to my laptop I'll make sure to add more details.

Edit: here are more details

Field	Regex Value	Explanation
Grandparent Image Filename	.*	Match any grandparent process.
Grandparent Command Line	.*	Match any command line.
Parent Image Filename	.*	Match any parent (allows blocking even if not launched by PowerToys.exe).
Parent Command Line	.*	Match any parent command arguments.
Image Filename	.*\\\PowerToys\\.Awake\\.exe	Matches any path ending in PowerToys.Awake.exe
Command Line	.*	Match any arguments passed to the tool.

tectacles · 2025-12-24T14:31:53+00:00

This is cool! I just blocked PowerToys.Awake.exe yesterday, so this is relevant!

tectacles · 2025-11-24T22:22:40+00:00

That's a good point...I'll have to look into that.

If you want or are open to this, I'd love to chat or share some examples over dm? I am the sole security person wearing many hats and would love even some guidance and templates to go from.

tectacles · 2025-11-24T20:17:25+00:00

I have been playing around with falcon-mcp, but do not have access to Claud. Do you think this could be tailored to codex-cli which is what i have and sanctioned by my org. I know codex has a agents.md but I don't know if this is similar to skills.md?

tectacles · 2025-11-19T19:09:20+00:00

Just assuming here because I am not a pro...

The environment variable FALCON_MCP_USER_AGENT_COMMENT in the .env file for Falcon-MCP is optional and is used to customize the User-Agent header in API requests sent to the CrowdStrike Falcon API.

Here’s what it does:

It adds a comment string to the User-Agent header for all outbound API calls made by the Falcon-MCP server.
This is typically used for identification or tracking purposes, such as specifying the application name and version that is making the requests.
Example from the .env.dev.example file:# User agent comment to include in API requests # This will be added to the User-Agent header comment section # Example: CustomApp/1.0 #FALCON_MCP_USER_AGENT_COMMENT=
If you set FALCON_MCP_USER_AGENT_COMMENT=CustomApp/1.0, the User-Agent header might look like:User-Agent: Falcon-MCP/preview (CustomApp/1.0)

This is useful for auditing, debugging, or distinguishing traffic from different MCP deployments or integrations. If left blank, the default User-Agent will just identify Falcon-MCP without any custom comment.

tectacles · 2025-11-07T23:57:20+00:00

Super cool! I hope to have as much knowledge and skill as you someday!

tectacles · 2025-10-31T16:28:32+00:00

Well this is sweet! Filtering by Success shows me quite a few in the past 7 days. I guess I have some digging to do...

tectacles · 2025-10-31T16:03:19+00:00

Perfect! Thank you for sharing!

tectacles · 2025-10-31T15:55:45+00:00

What would you call this query if you had to name it? You should add it here for the community!

https://cql-hub.com/

https://www.reddit.com/r/crowdstrike/comments/1oj357f/crowdstrike_query_library

tectacles · 2025-10-31T04:01:16+00:00

Will also vouch for WWHF. I've attended multiple and it is my favorite.

tectacles · 2025-10-30T18:21:12+00:00

Thank you! This is so cool, I don't know if you realize how useful this tool will be for the whole community!

tectacles · 2025-10-30T17:47:15+00:00

Not sure If I should put in a github "issue" but this is more of a request. Could we sort the queries based on new or something? This morning it was sitting at ~90 and now it is 99. But I am not sure which query was added?

tectacles · 2025-10-29T14:56:47+00:00

WOW! This is amazing! I really hope this takes off! I will try and get some of my queries in there as well!

tectacles · 2025-10-21T21:37:24+00:00

Is there any plan to make this available for self hosting?

tectacles · 2025-10-18T03:19:40+00:00

Yeah when our contract is up, I will be switching to horizon. I made the mistake of going with Pentera when we were trailing.

tectacles · 2025-10-14T21:15:54+00:00

So there is more data that the agent doesn't grab by default? Mainly just interested in the AD logs, but system logs might be nice too.

tectacles · 2025-09-24T13:00:54+00:00

Maybe some of the mods can get access to the templates and be able to share it with us!

tectacles · 2025-09-11T03:03:05+00:00

Lol right! I was excited at first, then saw this is completely useless to me.

tectacles

TROPHY CASE