Welcome to our ninetieth installment of Cool Query Friday. The format will be: (1) description of what we're doing (2) walk through of each step (3) application in the wild.

This week will be a mini-CQF as we cover a handy qualify-of-life function that makes the syntax in shared and saved queries a little easier. So, without further ado, let’s chat about setTimeInterval(). 

For those familiar with the Splunk Query Language, you’ll likely be familiar with the start parameter that can be used to hard-code the search window interval within syntax and override the time-picker in the GUI. In Splunk parlance, the most basic syntax would be:

start=-7d my-search-here

The above would execute our search looking back seven days. 

In CQL, the equivalent is:

setTimeInterval(start="7d")
| my-search-here

Simple enough.

The function setTimeInterval can accept several parameters. As seen above “start” is required, but we can also include things like “end” and “timezone.” So, if we wanted to search starting seven days ago, end searching one day ago, and do so in Eastern Standard Time, that would look like this:

setTimeInterval(start="7d@d", end="1d@d", timezone="EST")
| my-search-here

If preferred, epoch timestamps can be used:

setTimeInterval(start=1746054000000, end=1746780124517)
| my-search-here

The start and end parameters also support snapback syntax. Let’s say we want to search starting seven days ago at the very beginning of that day in EST and ending our search yesterday at the end of that day EST. That would look like this:

setTimeInterval(start="7d@d", end="1d@d", timezone="EST")
| my-search-here

What’s more, you can leverage setTimeInterval with other functions, like defineTable, to split the hard coded search intervals. 

The following will look for DNS requests that PowerShell has made in the past hour that it has not made in the previous 23 hours.

setTimeInterval(start="1h")
| defineTable(
  start=24h,
  end=1h,
  query={event_platform=Win #event_simpleName=DnsRequest ContextBaseFileName="powershell.exe"},
  include=[DomainName, ContextBaseFileName],
  name="ps_dns")
| event_platform=Win #event_simpleName=DnsRequest ContextBaseFileName="powershell.exe"
| !match(table="ps_dns", field=DomainName, strict=true)

Experiment with it and have some fun! That's it for this mini-CQF. As always, happy hunting and happy Friday. 

CrowdStrike Falcon has detection coverage for Copy Fail. These include but are not limited to:

• Endpoint IOAs
• Rapid Response Content Information
• Falcon Exposure Management Assessments 
• Falcon Cloud Security Image Assessments

 

Details

CVE-2026-31431, known as "Copy Fail," is a local privilege escalation vulnerability affecting  Linux kernel versions distributed since 2017. This vulnerability allows an unprivileged local user to gain root access through exploitation of the kernel's authencesn cryptographic template. It allows an unprivileged local user to trigger a 4-byte write into the page cache of any readable file on the system...

Welcome to our eighty-ninth installment of Cool Query Friday. The format will be: (1) description of what we're doing (2) walk through of each step (3) application in the wild.

So… gang… anything notable happen over the past few weeks? Been quiet out in these streets? There hasn’t been any net-new frontier AI models released that are going to kill us all and hack the planet? No? Cool. Just checking.

This week we’re going to hunt the world’s most dangerous game, humans AI. In speaking with customers, there is a lot of downward pressure coming from business stakeholders to try and quantify, enumerate, and corral “AI” that has been installed by the workforce. It’s one of those, “we need to use AI now!” Followed by: “OMG everyone is using AI now!” It’s kind of a vibe.

Quick Plug

CrowdStrike’s CTO and I recently hosted a webinar around Frontier AI Readiness in conjunction with the launch of a new industry-coalition service offering for those that wouldn’t mind a second set of eyes checking their work and a guiding hand. If this is of interest to you or your organization, go ahead and check it out.

</corporate schilling>

Okay, so back to hunting AI. Let’s quickly level set. There are a lot of ways to find AI across our enterprise. Network vendors, proxies, and those doing packet inspection are stating they can find it on the wire. And that’s true… assuming all traffic is routed through those appliances (on and off network) and what we’re hunting is sending network traffic outside the machine. There are some gaps with local models or apps, not-in-use models or apps, split tunneling configurations, traffic routing policies, etc. 

Host based technologies tend to rely on things executing, which again could leave some gaps for not-in-use models or dormant apps. 

For this reason, and to be as comprehensive as possible, we’re going to opt for a machine interrogation using Falcon for IT to quantify all things AI, get that data into NG SIEM, and get a comprehensive state of enterprise. 

Let’s go!

The Setup

We have a bunch of systems. Those systems have Falcon on them. Those systems could have a bunch of AI tools on them. But for many of the not-heavily-controlled systems out there, it’s hard to tell. I myself come from a higher education background and that, let me tell you, was like the wild west. It was lawless. So our idea is simple, we’re going to use Falcon as a fulcrum to deploy a handful of scripts that will interrogate systems to look for the following across Windows, macOS, and Linux.

• 40+ different AI tools & IDEs
• 80+ SDKs & libraries
• 25+ local models
• 60+ agent frameworks
• 12+ MCP servers
• And more

The output of those interrogations will flow into NG SIEM automatically where we can view, tinker, and orchestrate until our heart is content. We can then schedule and queue these scripts to run on an interval so our data stays fresh without our intervention. 

The Tools

If you’re reading this, there is a 99% chance you own Falcon Insight — that’s the EDR product. If you do, you also already own NG SIEM (wahoo!). To make script deployment as easy as possible, we’re going to leverage Falcon for IT. Now, if you don’t own Falcon for IT, don’t panic. You can navigate to “CrowdStrike store” from your main navigation menu and one-click start a free trial. It only takes a few minutes. You don’t have to talk to anyone. You can just do this on your own.

Falcon for IT in the CrowdStrike Store

The Setup

Falcon for IT has a super helpful “AI Discovery & Governance” content pack [release note] pre-built for us. Navigate to “IT automation” and then “Content library.” Locate the “AI Discovery & Governance” content pack, and select “Import to IT automation.” You can choose whatever name you’d like for the Task and select “Start import.” 

AI Discovery & Governance content pack naming.

The import should only take a few seconds. You can click “Exit to Falcon for IT.” 

AI Discovery & Governance import.

You should see a screen loaded up with our content that looks like this.

AI Discovery & Governance taks list.

⚠️WARNING: We need to pay close attention to all the tasks that have been imported for us. There are tasks labeled “Query,” which we are going to use, and tasks labeled “Action” that we are not going to use. The “Action” tasks can be used to remediate AI tools automatically. You can explore, test, and use those on your own if you choose. For this CQF, we’re going to focus on visibility. 

Setup Falcon for IT Policy

Next, we’re going to navigate to “IT automation” > “Policies.” The tasks we’re going to execute leverage Python. For this reason, we need to explicitly allow Falcon for IT to use Python to accomplish this task. Since this is a policy, we can restrict this ability to host or host groups. We can also remove the permission after we’re done if desired. For each operating system you want to scope — Windows, macOS, and Linux — make sure Falcon for IT is allowed to leverage Python.

Falcon for IT policy configuration.

The ability to set rate limits is also in these profiles. We can adjust those to our liking, but the defaults are well-balanced for most modern systems. 

Run and Schedule Tasks

Time to get data in. For testing purposes, we can manually run any “Query” task that starts with “Report AI” using the drop down on the right. 

Falcon for IT task execution.

⚠️ Again, DO NOT EXECUTE the “Action” tasks unless you know exactly what you are doing! They will remove AI tools. Make sure that’s what you want to do if you run them!

When you select “Run” you have the option to schedule. I’m going to set these to run daily in my tenant. 

Falcon for IT task scheduling.

Go ahead and schedule or run all the “Query” tasks. As of content pack release 1.0.30, there are nine of them.  

View Output

Quick post-flight checklist. What have we done so far:

1. Using Falcon for IT, we’ve loaded the “AI Discovery & Governance” pack pre-built for us by CrowdStrike
2. We’ve configured our Falcon for IT execution policy to allow F4IT to use Python
3. We’ve manually run, or scheduled, our nine Query tasks
4. The queries have run

To make things easy, the content pack automatically loaded a dashboard into NG SIEM. If you navigate to NG SIEM > “Log management” > "Dashboards" and search for “ AI Discovery” you should see the new toys.

Pre-built AI Discovery & Governance NG SIEM dashboard.

If you view the dashboard, and the queries have returned data, you’ll have a plethora of data to look at.

AI Discovery & Governance dashboard.

By mousing over the ❓icon, we can view an explanation of what each widget is displaying.

Explore the Data

If we click on the title of any of the dashboard widgets, we can view the queries that power them and customize as we see fit. 

To explain the data structure a bit: each of the queries we ran, or scheduled, will have a query_id value. This will remain constant across each run, but your query_id values and my query_id values will be different. In the dashboard, there is a widget titled “Host Inventory.”

AI Discovery & Governance dashboard.

If we click on that, we get to the query that powers it. Now, if we want to modify it to our liking, let’s say, to add more host details, we can swap out the last two lines with the following:

| groupBy([aid, _tools_f, _models_f, _mcp_f, _sdks_f, _agents_f, _total], function=[], limit=max)
| match(file="aid_master_main.csv", field=[aid], column=aid)
| formatTime(format="%F %T %Z", as="FirstSeen", field=FirstSeen)
| formatTime(format="%F %T %Z", as="LastSeen", field=LastSeen)

We now have an inventory showing where AI lives in our estate.

Modified \"Host Inventory\" query.

If we wanted, we could take this entire query and schedule it to run in Fusion SOAR, ask an LLM to create an executive summary, and create a ticket. Once we have data in the format we want. Our imagination is the only limitation. 

When Falcon for it pushes data into NG SIEM, it does so in a dedicated repository. The name of that repo is “IT Automation.” The data can also be manipulated there, if desired. TL;DR: if there is something you want to see that we aren’t showing you, use the data however you want!

Falcon for IT repository.

Incoming

The F4IT Team will be adding the ability to segregate discovered data by “approved” and “unapproved” AI facets, along with policy enforcement, deep configuration audit, and more.

I’d Like Some Help

Things are moving fast. It can be a little overwhelming. If you’d like a member of my team to assist you with this hunting exercise, answer additional questions, or chat about how AI tooling is going to kill us all discovered in Falcon, we’re here to help. Reach out to your local account manager and tell them “the loser from Reddit” sent you. They’ll get you lined up with a Field Engineer to guide you through it. 

As always, happy hunting and happy Friday.