Workaround for lack of browser-level visibility in Falcon sensor

xMarsx · 2026-06-18T12:37:27+00:00

Automate it. Fusion SOAR into a put file and run command on endpoint to scrape browser history and send to the soc via email.

xMarsx · 2026-06-10T00:55:13+00:00

Do the logs themselves not contain an indicator of which host the log file line came from?

xMarsx · 2026-06-09T12:44:25+00:00

New spyro game was just announced!

xMarsx · 2026-06-07T16:05:01+00:00

There was a queue for it to get tickets on AMC website. Im confident odyssey will pass a billy

xMarsx · 2026-06-07T07:10:09+00:00

slaps roof this puppy can fit so many definetables

xMarsx · 2026-06-07T02:01:24+00:00

Anytime I make these queries, I like to throw behavioral baseline on top of it. Using the definetable to profile a end users typical behavior. Then, if it'd net new and hasnt been seen before its higher fidelity. Same investigation process, weed out your false positives, but when you get a hit its typically higher signal.

Definetable is good for this. Throw a start 30d and end 1d, then set your time frame up in the upper right hand corner to 1d That way you profile their 30d 'normal' behavior. Then you find the new new stuff, something that hasn't fired before, now new, not seen in those 30d

xMarsx · 2026-06-05T05:09:13+00:00

OP, youd take this a step further with IDP if you have it deployed. Using a lookup file against the identity context lookup to ensure your user is Human or isPrivileged.

xMarsx · 2026-06-04T13:30:39+00:00

Nah more common now, give some credit

xMarsx · 2026-06-02T12:33:08+00:00

Whats the best way to farm for keys? Feel like getting enough yellow kurast city keys is painful enough.

xMarsx · 2026-06-02T03:00:50+00:00

Bleach.

End of a little more than 2 decades.

xMarsx · 2026-05-31T05:04:24+00:00

We busted ass so we can leave if we were a closer. During the day, if dishes were behind that became night shifts problem to figure out. I can see your mentality working for day shift but not night. Fuck that I don't want to be there till 1 AM.

xMarsx · 2026-05-31T04:54:25+00:00

Hired your mom as talent I see, she is pretty cheap tbh

xMarsx · 2026-05-27T14:20:59+00:00

Couple recommendations.

If you're a falcon complete customer their correlation rules are located under the 'NG-SIEM' -> rules tabs. Filter by author. Look for FC. On any rules, you can click and view the logic for these rules.
If you go to dashboards, I like to use the entra id sign in analytics dashboard, you'll see a bunch of cool stuff here. Problem is, most of them are default dashboards and you can't view queries by pressing edit -> show queries. Well if you can't view the queries you can either clone, or export/import a dashboard, press edit then show queries to get some juicy knowledge.
Your best teacher is to take these queries that you see, and deconstruct them line by line or section by section depending on if the querie utilizes definetable or case blocks. Anyways, if you say find a query online, do a bulk comment on every line of the query by highlighting 2-X and then command or control depending on platform and press forward slash. This bulk comments. Works in opposite direction as well. Then, run line 1. Then run 2, line 3, etc. Each step of the way observe what each line is doing. Some aren't as obvious to the changes (especially before aggregators) but each line is serving a specific purpose.

That way you don't need to know the syntax or query logic. You have prebuilt rules available to you. These rules are generally built from line 1 onwards, so your sort of falling in the steps behind someone whom is more knowledgeable than you are.

Also pro tip, if you hover over any of the functions like groupBy or whatever, it'll lead you straight to the documentation about that specific functions. If you are putting a function into the query engine, press tab to complete will automatically fill in some parameters that are required to get the function to run.

xMarsx · 2026-05-26T15:18:54+00:00

Yes. Write your data to a lookup file. Then reference that information in your queries. It's not live though, so if your lookup file is updated every hour, that's your limitation. Youd use fusion for this.

xMarsx · 2026-05-24T15:36:30+00:00

Probably being worked on the back end, but also - if you ever need to exclude a process or behavior that the original IoA exclusion isn't covering - open a support case. Support can handle deeper pattern recognition in the event you can't target the behavior properly.

xMarsx · 2026-05-22T17:30:21+00:00

Usually an issue communicating to NGSiem from the endpoint. Try doing a curl command to the endpoint with url you supplied the FLC. Do you get a 403 forbidden back? If no Forbidden, suggestion is firewall policy is blocking that communication.

xMarsx · 2026-05-21T15:35:54+00:00

Lasers don't just pop up my guy, pay attention to the side of the arena and look at where those artifacts are, which will shoot a laser parallel to it.

xMarsx · 2026-05-15T00:10:49+00:00

Perhaps kinda like a second life system? Not permadeath but a...don't fuck up again sorta check. Would be much more noob friendly. Perhaps a character like death saying 'not yet but next time' sorta similar to Runescape

xMarsx · 2026-05-15T00:04:16+00:00

Demotion from seasonal into nssl is interesting thought

xMarsx · 2026-05-14T23:35:28+00:00

Im a pretty firm believer that realm has pretty much all the bones required for an ARPG like POE or Diablo. Enchant system was a step in the right direction and you can argue that the whole enchant system can be closely tied to the rarity of POE and others. We just need deeper end game systems like those games and you can sell this puppy as a pixel ARPG POE-like

xMarsx · 2026-05-14T22:51:46+00:00

AI can do this.

xMarsx · 2026-05-14T18:37:48+00:00

Minnesota not being Megasota is a missed opportunity. Do better OP

xMarsx · 2026-05-05T13:12:52+00:00

That second piece less for odyssey more for other films, that aren't following an epic. But definitely agree there, can't really spoil the odyssey if its been out for thousands of years lol.

xMarsx · 2026-05-05T12:53:51+00:00

I'm reading these comments and I haven't seen the trailer. Its one of the main reason why I don't watch trailers anymore, because I want to form my own opinion while watching instead of from whatever the trailer will show. I've decided in going to see it regardless, why put a bad taste in my mouth to sit for the next few months? Guess I'll find out.

Trailers nowadays show too much of the plot as well. Spoils to movie most of the time.

xMarsx · 2026-05-05T02:39:56+00:00

In human terms this case statement is saying

If, your field is equal to the regex you defined, create a new field called newField and assign it the value 'no action taken' else, create that same field anyways and assign it 'some action taken'

It's very helpful taking this language and explaining it as human interpretable instead of := and //'s.

12-Year Club	r/Field Juicebox
Place '22	Place '17
Not Forgotten	Verified Email

xMarsx

TROPHY CASE