Security Engineering

Browser Patching at Scale with CrowdStrike Falcon for IT

Browser vulnerabilities have quietly become one of the most reliable entry points for attackers. As browsers have grown into full application runtimes — executing JavaScript, handling credentials, processing untrusted content from every corner of the internet — the attack surface they expose has grown with them. High-severity CVEs targeting Chromium, Firefox, and Edge are now a near-monthly occurrence, and the window between public disclosure and active exploitation has shrunk considerably.

Deploying the CrowdStrike AIDR Browser Extension via Falcon for IT

Using Falcon for IT to deploy the CrowdStrike AIDR browser collector across Edge, Chrome, and Firefox Developer Edition — writing browser policies directly on endpoints via the Falcon sensor without standing up a parallel MDM deployment.

Learning CrowdStrike CQL: Threat Hunting in Falcon NG-SIEM

Tracking a simulated multi-stage intrusion from initial access through ransomware deployment using CrowdStrike Query Language (CQL) in Falcon’s Advanced Event Search.

Enriching SIEM Alerts with RunZero Asset Data via Cribl

Polling the RunZero REST API hourly with Cribl to stream asset inventory into a SIEM, giving an MSSP the context needed to triage alerts accurately.

Fixing DNS Telemetry with Packetbeat and Cribl

Most of my servers send logs to CrowdStrike NG-SIEM through Cribl Edge, which handles Windows Event and Security logs just fine. DNS was the exception and it needed a totally different approach.

The problem with Windows DNS flat-file logs

Windows DNS Server writes queries to a flat text file. Getting those into a SIEM means either tailing the file with a log shipper or enabling analytic event logging, and both options have real limitations.

Forwarding Fortinet Firewall Logs to Cribl Cloud via TLS Syslog

Bridging an out-of-band firewall into a cloud-native observability pipeline without touching the internal network.