r/crowdstrike

Next-Gen SIEM Dashboard Permissions

Looking for some answers around - is it possible to manage who can modify a custom Next-Gen SIEM dashboards / raptor dashboards as they are referred to.

Note the dashboards created under the EDR module, but the other ones available under NG SIEM.
The dashboards in EDR module have the ability to set “private” or choose to share them.

However I can’t seem to find a way to do this with the NG SIEM dashboards. Every dashboard created seems to be read/write. However I can see some CrowdStrike developed dashboards that are “read” only. So I think the capability is there?

Tried support resources couldn’t find anything around this.

reddit.com
u/thebig_lebowskii — 2 days ago

CrowdStrike CLI connection status

Hello experts,

I wonder why there is no CLI for CS to query the same status as shown in the Tray Icon. So yes there is a CLI for showing if the Sensor is running, but I miss Connection status?

Do I miss something?

br

reddit.com
u/pure-xx — 3 days ago

Geolocation for each Host

I have been using an event search query into a dashboard to pull locations for each host based on their "Last seen" location. Problem is of course there is no historical data with this due to it being based on the location when the host was last seen.

I was thinking is there someway to pull this event search and write it to a file every hour and basically build a weekly report of this and where the host was scene every hour.

If this isn't a good way to do this do you have any ideas on how to keep track of the geolocation of employees if they work from home?

reddit.com
u/Dependent-Ad833 — 4 days ago

Developer Performance complains

Hello experts,

as new CS customers we are very happy with how the general performance of the agent looks like. Really small footprint and most of the users are not complaining. But every now and then a performance discussion arises and tickets got escalated through all teams till they finally got assigned to the EDR team. It’s often very vague and a gut feel that the performance of the client is slow.

Especially “pro” users like developers want, as a solution approach, to exclude basically all directories they are using, for example local repositories and so on.

So I wonder what questions do you ask or what analyses do you require to qualify for a special policy. I am also not sure if a directories exclusion is really better than adjusting the detection policy (but what settings?).

Thank you for your input.

reddit.com
u/pure-xx — 4 days ago

Make NGSIEM Saved Search Query / Results Available via API?

We’re trying to figure out how to make a NGSIEM saved search & results available to either invoke remotely via an API or make the results of a saved search accessible via the API.

reddit.com
u/r_gine — 4 days ago

Exposure Management Dashboard/Report for Workstations Vulnerabilities

Hello all,

I am getting into the Exposure Management feature set and starting to review what our environment looks like. There is some product cross over with another platform we have so I was looking for a similar feature in maybe a report or a dashboard relating to workstations. I can't seem to find anything off hand right now.

Is there a report or a dashboard that shows workstations and related vulnerabilities by some sort of criticality rating (CVSS or ExPRT)? I am looking to get a prioritized list of workstation remediations that we should address. I believe ExPRT is probably the best metric. When I dive into the vulnerability dashboards a lot of them list the vulnerability, but it seems difficult to tie the vulnerabilities back to an actual host/system.

I could be just being dumb though. I might be staring at the solution in exposure management but overlooking it.

reddit.com
u/Khue — 5 days ago

First time attending Fal.Con 2026 – Looking for advice!

Hi everyone,

This year will be my first time attending Fal.Con 2026, and it's also my first major cybersecurity conference(I am From Latin America), so I'm really excited.

I'll be staying at the MGM Grand, and I'd love to get some advice from people who have attended before.

A few questions:

  • What are the "must-do" sessions or activities?
  • How do you make the most out of the conference?
  • Are there networking events that are worth attending?
  • Any tips for meeting CrowdStrike engineers, product managers, or other security professionals?
  • Is there anything outside the official agenda that first-time attendees usually miss?
  • Any recommendations around the MGM or nearby for food, after-hours events, or places where attendees tend to hang out?

For context, I work as a Cybersecurity Team Lead with a focus on enterprise security, SOC operations, cloud security, and the CrowdStrike platform, so I'm hoping to learn as much as possible and connect with others in the community.

I'd appreciate any tips, recommendations, or lessons learned from previous Fal.Con events.

Thanks in advance!

reddit.com
u/felideep — 6 days ago

Vulnerability Exploit Detection

Hello experts,

Today we tested the exploit for CVE-2026-46331 on a SUSE Linux 15 with Falcon installed and online (no RFM). So the exploit worked and we are no wonder why there is no Alert or any other information about this. KB of the CVE shows a coverage indication for Falcon.

What’s also interesting if searching for the CVE in the Vulnerability Dashboard the SUSE host is not showing as vulnerable, only Ubuntu Systems popping up.

So it looks like it is not working right and not preventing or alerting anything.

Where to start and what would be the right place to search for exploit attempts, should they pop up in the detections?

BR

reddit.com
u/pure-xx — 6 days ago

Automated email notification in Fusion SOAR

I am working on automating an email notification to inform users when their passwords have been identified as compromised and prompt them to change their password.

Currently, I am using the out-of-the-box Send Email action. However, the email is sent from falcon@crowdstrike[.]com using CrowdStrike's branding template.

My concern is that users may mistake the notification for a phishing email, especially since it does not appear to originate from our organization or follow our corporate branding.

Has anyone implemented a more personalized approach for these notifications? For example:

  • sendin the email from your organization's domain or shared mailbox
  • using your organization's branding and email template
  • integrating with Microsoft 365/Exchange to send the email instead of the built-in action
reddit.com
u/xaveri12 — 6 days ago

Falcon MCP v0.13.0 adds "dynamic mode" — cuts MCP tool-schema context by ~98%

We just shipped v0.13.0 of the CrowdStrike Falcon MCP server, and the main feature is something a lot of MCP servers will eventually run into: tool bloat.

The problem: every MCP tool's schema gets loaded into the model's context window up front. Falcon MCP has 115 tools across 24 modules, which is ~41K tokens sitting in context before you've asked anything — and it grows with every module added. If a given session only needs a handful of those tools, the rest is just overhead the model carries the whole time.

Dynamic mode swaps the full tool list for 3 meta-tools (~500 tokens):

  • falcon_list_enabled_modules — see what's loaded
  • falcon_search_tools — discover tools by keyword, returns the schema on demand
  • falcon_execute_tool — run whatever you found

So the agent does a quick discover → execute loop instead of carrying every schema all the time. In our testing that worked out to ~98.7% less context overhead, ~57% cheaper per session, and better FQL filter accuracy — field hints seem to land better when they show up at discovery time instead of buried 40K tokens back.

Where it helps:

  • Large module sets where the up-front schema load dominates your context budget
  • Token or context-constrained clients (lighter-weight models, tight context windows)
  • Exploratory or cross-module work where you don't know in advance which tools you'll need

Where it doesn't:

  • Workflows that hammer the same known set of tools repeatedly — you pay the falcon_search_tools discovery round-trip without getting much back, since the schemas would've been worth loading anyway
  • Setups where you've already scoped to just a few modules (--modules), so there isn't much bloat left to cut
  • Cases where you'd rather spend tokens than add a discovery step before each new tool call

Enable it with uvx falcon-mcp --dynamic or FALCON_MCP_DYNAMIC=true. Nothing is removed; the full tool surface is still reachable. It's in public preview now and on track to become the default in v1.0 (with an opt-out).

Docs:

reddit.com
u/cs-carlosmmatos — 7 days ago

Fully auditable, no-telemetry CQL syntax highlighting for VS Code

I write a lot of CQL for Falcon Next-Gen SIEM / LogScale and got tired of staring at uncolored query files, so I built a small VS Code extension for it. Sharing in case it's useful to anyone here.

What it does:

  • Syntax highlighting for CQL/LQL — comments, strings, regex literals, tag fields (`#event_simpleName`), functions, `case`/`match`, `AND`/`OR`/`NOT`, the pipe, etc.
  • Snippets for common patterns — tag filters, `groupBy`, `case`, regex filters, `formatTime`, `sort`, and a full hunt-query skeleton. There's also an Entra ID sign-in hunt snippet.
  • File associations for `.cql`, `.lql`, `.humio`.

The thing I actually care about, given the audience here: it's declarative-only. No executable code, no `activate()` entry point, no dependencies, no network access — it's literally a TextMate grammar plus snippets, all JSON.

Editor extensions run with access to your workspace and terminal, so for a security team an unvetted one is supply-chain risk. The whole package is a handful of small JSON files you can read in five minutes. Source is on GitHub; clone it, inspect every byte, build it yourself and diff against the published build.

One known limitation I'll call out honestly: CQL overloads `/` for comments, regex, and division, which can't be fully disambiguated without a language server, so a division expression with two slashes on one line may occasionally be miscolored. It's cosmetic and doesn't affect query execution.

It's free and MIT licensed. Marketplace link and repo in the comments so this isn't just a link-drop — happy to take feedback on what's missing or mis-highlighted.

reddit.com
u/XecureLogic — 7 days ago

Next GEN SIEM Setup

Hello,

We just got the Next GEN SIEM and are looking to set it up. We have installed sensors but other then that have not touched it at all. I would love some tips and tricks as well as suggestions on what to do first to really get the environment running.

Thank you!

reddit.com
u/Dependent-Ad833 — 12 days ago

Basic, I think, SOAR question related to actions based on 3rd party detections

We are a Mimecast shop. We have NG-SIEM ingesting from Mimecast. We regularly get detections where Mimecast has blocked an attachment or some other successful block action. We want to have a workflow that takes the domain of the sender and add it to Zscaler.

When I create a workflow with the trigger being a 3rd Party NG-SIEM detection, I can’t find a way to have the fields exposed that I need for the action.

It’s usually something like sender.domain

I know the data is there because I can see it in the detection as well as in the raw results of a search.

This shouldn’t be this difficult!

reddit.com
u/AdJolly187 — 10 days ago

How can I remove a user’s registered Entra ID devices from a CrowdStrike SOAR workflow?

I’m building an automated detection and remediation workflow in CrowdStrike SOAR for suspicious Microsoft Entra ID device-code authentication.

I can use the predefined Entra ID – Get Devices Registered to a User action to retrieve the user’s registered devices. However, I cannot find a predefined CrowdStrike SOAR action to remove or delete those devices from Entra ID.

Has anyone implemented device removal directly from a CrowdStrike SOAR playbook?

Ideally, I would like to take the device IDs returned by Get Devices Registered to a User, validate which devices should be removed, and then delete them automatically.

Side note for context: This is part of a response workflow for device-code authentication attacks based on the technique described here: Phishing for Primary Refresh Tokens and Windows Hello keys - dirkjanm.io

reddit.com
u/Brief_Trifle_6168 — 11 days ago

How to scan single docx file

We get in files on USBs, so I setup an off network PC with crowdstrike to scan them before they go onto a networked PC. I notice that right clicking on files to scan them with crowdstrike and it says no files supported. They are usually a mix of PDF, docx and xlsx files.

How can I get crowdstrike to scan those files?

reddit.com
u/zanthius — 12 days ago

How to Configure Detection Based Emails

Hello, I am attempting to set my company up on NG-SIEM but I have had immense trouble finding how-to-guides so I decided to ask here.

I have a query from the old SIEM that I've added as a rule, and a workflow with the trigger on rule detection. However nothing seems to allow me to tie the two together other than creating a condition on the workflow and checking for detection display name which does not feel correct.

Does anyone know the correct way to accomplish this?

reddit.com
u/Sufficient-King5890 — 12 days ago

Update lookup file

I am trying to update a lookup file based on a query that will return some IP addresses. I am running this on a fusion workflow and able to get the new IP address based on the following query.

| #repo=abc123

| url.domain=/abc.com/i

| table([destination.ip])

| groupBy([destination.ip])

| join({readFile(["lookup.csv"]) | table([destination.ip]) | case {destination.ip=* | existing:=true}}, field=destination.ip, key=destinationIP, mode=left, include=[existing])

| existing != true

| table([destination.ip])

This query returns on new IP address.

How can I update the lookup file with the new IP?

reddit.com
u/dial647 — 12 days ago

Using CrowdStrike to block older versions of Chrom

Hi All, recently Bitsight flagged some of the traffic originating from our org as using vulnerable browsers ( using older versions of chrome and edge ).

Some people here want to utilize CrowdStrike to block execution of older versions of CrowdStrike which might be vulnerable.

Despite me insisting that this is a bad idea similar to hammering a screw they still want to go ahead and make this rule any way to convince them otherwise ? ( rely on SCCM and GPO and not CS )

Or alternatively is there a way to achieve this using CS but if it is too much effort and just is clunky i can get them of my backs.

Any suggestions are appreciated thanks ✌️

reddit.com
u/tom_curse — 13 days ago

Crowdstrike Falcon Fusion SOAR workflows not firing for real alerts (but Test Mode works)?

Hey everyone, I’m stuck on a weird Fusion SOAR issue. I have three separate workflows set up for Identity, Endpoint, and NG-SIEM. When I use Test Execution with a mock payload, everything runs perfectly. However, when a real detection happens, absolutely nothing triggers. To make sure it wasn't a filtering issue, I set the severity condition to > Low just to catch everything, but still nothing. The workflow is enabled, but I’m getting zero execution history for live events. What could be the blocker here? Any advice on how to get live alerts flowing would be greatly appreciated!

reddit.com
u/Minute-Internal5628 — 11 days ago