Siem

Tracking a simulated multi-stage intrusion from initial access through ransomware deployment using CrowdStrike Query Language (CQL) in Falcon’s Advanced Event Search.

Polling the RunZero REST API hourly with Cribl to stream asset inventory into a SIEM, giving an MSSP the context needed to triage alerts accurately.

Most of my servers send logs to CrowdStrike NG-SIEM through Cribl Edge, which handles Windows Event and Security logs just fine. DNS was the exception and it needed a totally different approach.

The problem with Windows DNS flat-file logs

Windows DNS Server writes queries to a flat text file. Getting those into a SIEM means either tailing the file with a log shipper or enabling analytic event logging, and both options have real limitations.