Added CallStackModuleBinary() and HuntRareCallStackModules()

README.md

@@ -321,6 +321,13 @@ Parses SignInfoFlags to multiple bools. Current not great parsing oppertunities,
 
 </details><br />
 
+## _CallStackModuleBinary()_
+
+This function is undocumented, look at the query (in-line commented) for now.  
+Looking into using a wiki for function documentation.
+
+<br />
+
 # Contribution
 
 This is a sample repo started from posting on [a post](https://www.reddit.com/r/crowdstrike/comments/ry6ma0/20220107_cool_query_friday_adding_process/) from [Cool Query Friday](https://www.reddit.com/r/crowdstrike/collection/8016c539-c284-442c-9726-6bc05053d7a9/) at [r/crowdstrike](https://www.reddit.com/r/crowdstrike/).

queries/CallStackModuleBinary.yaml

@@ -0,0 +1,16 @@
+name: CallStackModuleBinary
+description: "Parses binaries (exe and dll) pressent in CallStack. Note this wull result as multiple events."
+visualization:
+  options:
+    columns: '[{"type":"field","fieldName":"@timestamp","width":210},{"type":"field","fieldName":"@rawstring"}]'
+    newestAtBottom: 'true'
+    showOnlyFirstLine: 'false'
+  type: list-view
+$schema: https://schemas.humio.com/query/v0.1.0
+timeInterval:
+  isLive: false
+  start: 1d
+queryString: "// Extracting .exe and .dll in CallStackModule, note this is repeating\
+  \ and therefore split events for each hit.\n// Inspired from CQF : https://www.reddit.com/r/crowdstrike/comments/mwuz92/20210423_cool_query_friday_parsing_the_call_stack/\n\
+  regex(\"\\\\\\\\Device\\\\\\\\HarddiskVolume\\\\d+(?<falcon.csm.name>.*?(\\\\.dll|\\\
+  \\.exe))\",field=\"CallStackModuleNames\",repeat=True,flags=\"i\") "

queries/HuntRareCallStackModules.yaml

@@ -0,0 +1,22 @@
+name: HuntRareCallStackModules
+description: "Hunt processes loading a module rarely used"
+visualization:
+  options: {}
+  type: table-view
+$schema: https://schemas.humio.com/query/v0.1.0
+timeInterval:
+  isLive: false
+  start: 1d
+queryString: |-
+  // ?region field is bugged when set as input to user function. If you need other region other then default, add &$reigon=<URL> to url .. ie. &$reigon=EU-1 and links will work
+  #type = FDR #event_simpleName=ProcessRollup2 CallStackModuleNames=*
+  | $crowdstrike/fdr-utils:CallStackModuleBinary()
+  | join({#type = FDR #event_simpleName=ProcessRollup2 | regex("\\\\Device\\\\HarddiskVolume\\d+(?<falcon.csm.name>.*?(\\.dll|\\.exe))",field="CallStackModuleNames",repeat=True,flags="i") | groupBy([#cid, aid, falcon.csm.name]) | _count < ?{max_loads=50}}, field=[#cid, aid, falcon.csm.name], mode=inner)
+  | groupBy(["#cid", "aid", "ParentProcessId"], function=[selectLast([TargetProcessId, ParentBaseFileName]), count(), min(@timestamp), max(@timestamp), collect(CommandLine, separator=" | ")])
+  | $crowdstrike/fdr-utils:FalconURL(region=?{reigon=US-1})
+  | $crowdstrike/fdr-utils:RTR()
+  | $crowdstrike/fdr-utils:ProcessExplorerTarget()
+  | duration := _max - _min | case {duration != 0 | duration := formatDuration(duration); *}
+  | start := formattime("%Y/%m/%d %H:%M:%S", field=_min)
+  | table([aid, ParentProcessId, ParentBaseFileName, _count, start, duration, falcon.RTR, falcon.process_explorer_target, CommandLine])
+  | sort()