crowdstrike/fdr Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

crowdstrike/fdr Dashboards

00 - FDR Package Announcement - Please Read

Widget	Description	Type
FDR Package Migration	# Important Changes This package is being reduced to only include the parser. Please use the crowdstrike/fltr-core package instead. Instructions for configuring the crowdstrike/fltr-core package can be found here: https://github.com/CrowdStrike/logscale-community-content/wiki/FLTR-Setup-and-Configuration # Migrating Content If you've made modifications to the crowdstrike/fdr package contents and wish to keep them, they can be exported by going to Settings → Create a Package → Export Package in this repo.	`Note`

Detections by Instance

Widget	Description	Type
Detections by Tactic	Displays a pie chart of event detections. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Displays a chart of events and their detection rate over a one hour timespan. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Displays a flow chart of a system's events, and their severity and technique. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Displays a pie chart of detections by severity. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Displays a table of detections by attack. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Displays a flowchart of event detection parent and grandparent files by file name. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Displays a flowchart of detections by parent file and file. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Displays a flow diagram of technique and tactic data. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Displays a table of external API event detections by host. Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Displays a table of event detections by user. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Detections by Type

Widget	Description	Type
Detections by Tactic	Displays a pie chart of event detections. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Displays a chart of events and their detection rate over a one hour timespan. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Displays a flow chart of a system's events, and their severity and technique. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Displays a pie chart of detections by severity. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Displays a table of detections by attack. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Displays a flowchart of event detection parent and grandparent files by file name. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Displays a flowchart of detections by parent file and file. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Displays a flow diagram of technique and tactic data. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Displays a table of external API event detections by host. Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Displays a table of event detections by user. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Dev - Software Inventory

Widget	Description	Type
Product Versions	Displays a pie chart of product versions. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductVersion], as="count")`	`Pie Chart`
Product Names	Displays a chart of an application's associated product and company names. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductName], as="count")`	`Bar Chart`
Software Inventory	Displays a table of software inventory and associated data (company name, product name, file version) in descending order. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| groupBy([CompanyName, FileDescription, FileName, FileVersion, ProductName, ProductVersion], limit=max) \| rename(_count, as="count") \| sort([count,CompanyName, ProductName, FileVersion], order=desc)`	`Table`
Software Companies	Displays a list of software companies and application information. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| top([CompanyName], as="count")`	`Bar Chart`
Software Inventory Note	# FDR Requirements This dashboard runs on the secondary FDR data. FDR secondary data is not enabled by default, you may need to submit a ticket to CrowdStrike Support to enable the secondary data feed. You can check to see if your data includes secondary data by searching this data for: @path = fdrv2* To narrow down the data set use the CompanyName and then the ProductName drop-down parameters above.	`Note`

Domain Search

Widget	Description	Type
Domain Lookup Summary	Displays a domain lookup summary with associated data sorted by number of hosts, then limits the results to the first 200 entries. Hide Query Show Query logscale /* * This query gives a summary of the domain(s) ('DomainName' * parameterized by '?DomainName') * It can also give a summary of all the hosts that a specific / #event_simpleName="DnsRequest" \| DomainName = ?DomainName \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| groupBy(DomainName, function=[ { selectLast([ContextTimeStamp, ComputerName]) \| rename(ContextTimeStamp, as=LastLookup) \| rename(ComputerName, as=LastLookupBy) }, { select([ContextTimeStamp, ComputerName]) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) \| rename(ComputerName, as=FirstLookupBy) \| drop(@timestamp) }, { count(ComputerName, as=NumberOfHosts, distinct=true) } ], limit=max) \| LastLookup := LastLookup 1000 \| FirstLookup := FirstLookup * 1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([DomainName, NumberOfHosts, FirstLookup, FirstLookupBy, LastLookup, LastLookupBy], limit=200, sortby=NumberOfHosts) \| rename(NumberOfHosts, as="#hosts")	`Table`
Process and Domain Details	Displays a table of specific processes and their domain details from a specific agent ID or ComputerName. Hide Query Show Query logscale /* * This query provices details of specific processes that resolve a * specific domain ('DomainName', parameterized by '?DomainName') and that are * run from a specific agent ID ('aid', parameterized '?aid') or ComputerName (?ComputerName). * This query will only return results if either ?DomainName and ?aid / ?ComputerName is specified. / #event_simpleName="ProcessRollup2" OR #event_simpleName="DnsRequest" \| test(?DomainName != "") \| aid=?aid \| case { test(?aid == "") \| test(?ComputerName == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) // We wish to join the ContextProcessId of the DnsRequest events to the // TargetProcessId of the ProcessRollup2 events, so we collect them both // in a field 'pid' that we can then group on. \| #event_simpleName match { "ProcessRollup2" => pid := TargetProcessId; "DnsRequest" => pid := ContextProcessId; } // Group the agent IDs, and for each group group by the 'pid' field. \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| groupBy("pid", function= [ // Extract the latests ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, and SHA256HashData fields. { #event_simpleName="ProcessRollup2" \| selectLast([aid, ComputerName, ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, SHA256HashData]) }, // Extract the DomainName for each 'pid'. { #event_simpleName="DnsRequest" AND DomainName=?DomainName \| groupBy(DomainName) \| drop(["_count"]) } ], limit=max) // Remove entries that have no domain name or process start time. \| DomainName = * AND ProcessStartTime = * \| ComputerName = ?ComputerName // Make the process start time human-readable. \| ProcessStartTime := ProcessStartTime*1000 \| ProcessStartTime := formatTime(field=ProcessStartTime, format="%Y/%m/%d %H:%M:%S") // Present the results. \| table([ProcessStartTime, pid, DomainName, ComputerName, aid, ImageFileName, MD5HashData, SHA256HashData], limit=200)	`Table`
Number of Hosts hitting the domain	Displays a list of the number of distinct hosts hitting the domain. Query results will only be provided if ?DomainName is specified. Hide Query Show Query logscale `/** * This counts the number of distinct hosts ('ComputerName') that * resolved a specific domain ('DomainName', parametrized by '?DomainName'). * This query will only return results if ?DomainName is specified. / #event_simpleName=DnsRequest \| test(?DomainName != "") \| aid=?aid \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName=?ComputerName \| count(ComputerName, distinct=true)`	`Single Value`
Domain Lookups by Host	Displays a list of distinct hosts and the number of lookup requests they made. Hide Query Show Query logscale `/** * This lists the distinct hosts ('ComputerName') that resolve a specific * domain ('DomainName', parametrized by '?DomainName') and how many requests * they made. / #event_simpleName=DnsRequest \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| DomainName = ?DomainName \| groupBy([ComputerName, DomainName], limit=max) \| DomainName = \| top(ComputerName, sum=_count, as="# lookups")`	`Bar Chart`
Domain Lookups by Host (Table)	Displays a list of distinct hosts using ComputerName that resolve a specific domain, and how many requests they made. Hide Query Show Query logscale `/** * This lists the distinct hosts ('ComputerName') that resolve a specific * domain ('DomainName', parametrized by '?DomainName') and how many requests * they made. / #event_simpleName="DnsRequest" \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| DomainName=?DomainName \| groupBy([ComputerName, DomainName], limit=max) \| DomainName= \| top(ComputerName, sum=_count, as="#lookups")`	`Table`
Lookup Details	Shows all lookups for a given domain name/pattern Hide Query Show Query logscale \| #event_simpleName=DnsRequest \| test(?DomainName != "") \| DomainName = ?DomainName \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| ComputerName = ?ComputerName \| groupBy([DomainName, ComputerName], function=[ { count(ContextTimeStamp, as="#lookups", distinct=true) }, { selectLast(ContextTimeStamp) \| rename(ContextTimeStamp, as=LastLookup) }, { select(ContextTimeStamp) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) } ]) \| sort(ComputerName, limit=20000) \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup*1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([DomainName, "#lookups", ComputerName, FirstLookup, LastLookup], limit=199, sortby="#lookups")	`Table`
Workflow Note	# Process and Domain Details Provide Domain Name and ComputerName (or aid) to display the data.	`Note`
Workflow Note	# Domain Lookup and Process Details Provide Domain Name to display the data. You can filter results by aid or Computer Name.	`Note`
Workflow Note	# Domain Lookup Summary Displays top domains, enter Domain Name to narrow the search.	`Note`
Workflow Note	# Domain Lookups by Host Displays top Hosts hitting the Domain(s). Enter Domain Name to narrow the search.	`Note`

File Vantage

Widget	Description	Type
File Integrity Alerts by User	Displays a chart of file integrity alerts by user. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| top(UserName, as="#alerts")`	`Bar Chart`
File Vantage Alerts	Displays a table of file vantage alerts and associated data. Hide Query Show Query logscale "#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| table([@timestamp,PolicyRuleSeverity, aid, UID, UserName, CommandLine, ImageFileName, ObjectChanged, ObjectOperation, ObjectName, ObjectNameNew])	`Table`
File Vantage Alerts by Criticality	Displays a list of File Vantage alerts by criticality (Low, Medium, High, and Critical). Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { PolicyRuleSeverity=1 \| Severity := "Low"; PolicyRuleSeverity=2 \| Severity := "Medium"; PolicyRuleSeverity=3 \| Severity := "High"; PolicyRuleSeverity=4 \| Severity := "Critical"; } \| groupBy(Severity)`	`Pie Chart`
File Integrity Alerts	Displays a chart of file integrity alerts in a 1 hour timespan. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| timechart(span=1h, function=count()) \| rename(_count, as="#alerts")`	`Time Chart`
File Integrity Alerts by Operation	Displays a list of file integrity alerts by operation, including create, write, delete, set, and rename. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| groupBy(ObjectOperation) \| rename(_count, as="#alerts")`	`Bar Chart`
File Vantage Alerts by Platform	Displays a list of file vantage alerts by platform. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched \| groupBy(event_platform)`	`Pie Chart`
File Vantage Alerts by File Name	Displays a pie chart of file vantage alerts by file name. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w)$/ \| top(FileName, as="#alerts")`	`Pie Chart`
File Integrity Alerts by Object	Displays a list of file integrity alerts by object, including, 'file', 'folder', 'value', and 'key'. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| groupBy(ObjectChanged) \| rename(_count, as="#alerts")`	`Bar Chart`

Hash Search

Widget	Description	Type
File Execution Details (Specify FileName or SHA256)	Displays a list of file execution details by file name or SHA256 and limits results to the first 20,000 entries. Hide Query Show Query logscale `// This query will only return results if at least one of ?FileName or ?SHA256 is specified. case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| #event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ImageFileName, CommandLine], limit=20000)`	`Table`
File Execution by Host	Displays a pie chart of file executions by host, limited to the first 25 entries. Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written by Hosts	Displays a pie chart of files written by hosts, limited to the first 25 entries. Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written Details (Specify ComputerName)	This widget only shows result if a ComputerName is specified) Hide Query Show Query logscale `#event_simpleName="FileWritten" AND SHA256HashData = ?SHA256 \| test(?ComputerName != "") \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName = ?ComputerName \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ComputerName, TargetFileName], limit=200)`	`Table`
Written on Distinct Hosts	Displays a list of files written on distinct hosts. Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName,distinct=true)`	`Single Value`
Execution Activity	Displays a chart of execution activity. Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Activity"))`	`Time Chart`
Execution History (Specify FileName or SHA256)	Display a table of execution history including execution date/time and file name, organizes it by host, and limits to the top 199 entries. Note that this query will only return results if at least one of ?FileName or ?SHA256 is specified. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 AND SHA256HashData = ?SHA256 // This query will only return results if at least one of ?FileName or ?SHA256 is specified. \| case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| groupby([SHA256HashData, FileName], function=[ count(aid, as="#hosts", distinct=true), { selectLast([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=LastExecutionDateTime) \| rename(aid, as=LastExecutedOn) }, { head(1) \| select([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=FirstExecutionDateTime) \| rename(aid, as=FirstExecutedOn) } ], limit=max) \| LastExecutionDateTime := LastExecutionDateTime1000 \| FirstExecutionDateTime := FirstExecutionDateTime1000 \| LastExecutionDateTime := formatTime(field=LastExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| FirstExecutionDateTime := formatTime(field=FirstExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| drop(@timestamp) \| table([SHA256HashData, FileName, "#hosts", FirstExecutedOn, FirstExecutionDateTime, LastExecutedOn, LastExecutionDateTime], limit=199, sortby="#hosts")	`Table`
Number of Hosts Executing File	Displays the number of hosts executing a specific program that have been identified as suspicious. Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName, distinct=true)`	`Single Value`
Unique Host Executions	Displays a chart of unique host executions over time. Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Hosts", field=aid, distinct=true))`	`Time Chart`
Workflow Note	# Workflow Start by entering a file name or a SHA256 to see results for 'Execution History', File Execution Details', and 'File Written Details'.	`Note`

Host Search

Widget	Description	Type
Services Started	Displays a table of services started on Windows platform and limits results to the first 200 entries. Hide Query Show Query logscale `#event_simpleName=ServiceStarted AND event_platform=Win \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([@timestamp, UserName, ServiceDisplayName, CommandLine], limit=200)`	`Table`
Network Connection Destinations	Displays a world map of network connection destinations by IP address. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| worldMap(ip=RemoteAddressIP4)`	`World Map`
Parent to Child Process	Displays a flow chart of the parent file to child file process. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| sankey(source=ParentBaseFileName, target=ImageFileName)`	`Sankey`
Listening Ports	Displays a table of ports that are listening and associated data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4 \| aid=?aid \| test(?aid != "") // We essentially want to join the ContextProcessId of the network events // with the TargetProcessId of the ProcessEvents, so we create a new // field 'pid' on which we can do a groupby. \| #event_simpleName match { ProcessRollup2 => pid := TargetProcessId; NetworkListenIP4 => pid := ContextProcessId; } // Group by the agent ID and for each group, group by the 'pid' field. \| groupBy("aid", function=[ { groupBy("pid", function=[ // Extract the ImageFileName field. { #event_simpleName="ProcessRollup2" \| selectLast([ImageFileName]) }, // Extract up to 200 rows of the LocalAddressIP4 and LocalPort // fields. { #event_simpleName="NetworkListenIP4" \| table([LocalAddressIP4, LocalPort]) } ], limit=max) } ], limit=max) \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) // Filter off results that do not have the below fields. \| LocalAddressIP4= AND LocalPort=* AND ImageFileName=* // Present the results. \| table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)	`Table`
Top DNS Requests	Displays a list of top DNS requests by domain name. Hide Query Show Query logscale `#event_simpleName=DnsRequest \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| top(DomainName) \| rename(_count, as="#requests")`	`Table`
Detections: Map Tactic Technique	Displays a flow chart of detections by tactic and technique. Hide Query Show Query logscale `EventType=Event_ExternalApiEvent \| test(?aid != "*") \| AgentIdString = ?aid #cid = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
User Logons	Displays a table of user logons by type with additional data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=UserLogon \| test(?aid != "") \| aid=?aid AND #cid = ?cid \| case { LogonType="2" \| Logon_Type:="Interactive"; LogonType="3" \| Logon_Type:="Network"; LogonType="4" \| Logon_Type:="Batch"; LogonType="5" \| Logon_Type:="Service"; LogonType="6" \| Logon_Type:="Proxy"; LogonType="7" \| Logon_Type:="Unlock"; LogonType="8" \| Logon_Type:="Network clear text"; LogonType="9" \| Logon_Type:="New Credentials"; LogonType="10" \| Logon_Type:="RDP"; LogonType="11" \| Logon_Type:="Cached Credentials"; LogonType="12" \| Logon_Type:="Auditing"; LogonType="13" \| Logon_Type:="Unlock Workstation";} \| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)	`Table`
Schedule Tasks	Displays a table of scheduled tasks with associated data (username, task name, command data, and arguments). Hide Query Show Query logscale `#event_simpleName=ScheduledTaskRegistered \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])`	`Table`
Network Connections Count	Displays a list of IP4 network connections. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| !regex("^(10\|172\.16\|192\.168)\.", field=RemoteAddressIP4) \| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4) \| top([RemoteAddressIP4, RemoteAddressIP4.country]) \| rename(_count, as="#connections")`	`Table`
Detections	Displays a list of API event detections. Hide Query Show Query logscale `ExternalApiType=Event_DetectionSummaryEvent \| test(?aid != "*") \| AgentIdString = ?aid AND CustomerIdString = ?cid \| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)`	`Table`
Packed Executable Written	Displays a list of packed executables that have been written. Hide Query Show Query logscale `#event_simpleName=PackedExecutableWritten \| test(?aid != "*") \| #cid = ?cid AND aid=?aid \| count()`	`Single Value`
Unique Executables Written	Displays a list of unique executables written using SHA256 hash data. Hide Query Show Query logscale `#event_simpleName=PeFileWritten \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| count(SHA256HashData, distinct=true)`	`Single Value`
Processes	Displays a table of processes by file name and limits results to the first 200 entries. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| table([@timestamp, FileName, CommandLine, ParentBaseFileName], limit=200)`	`Table`
Host Information	Displays a table of host information, including computername, agentversion, etc.) Hide Query Show Query logscale `#event_simpleName=AgentOnline \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| ipLocation(field=aip, as=aip) \| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max) \| drop(_count)`	`Table`
Workflow Note	#Workflow Add a non-wildcard value to the aid parameter for the widgets to display results.	`Note`

IP Search

Widget	Description	Type
IP Summary	Displays a table of summarized IP address data. Hide Query Show Query logscale #event_simpleName=NetworkConnectIP4 \| not cidr(RemoteAddressIP4, subnet=["192.168.0.0/16", "176.16.0.0/20", "10.0.0.0/24"]) \| aid =~ match(file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| groupBy(RemoteAddressIP4, function=[ { selectLast([ContextTimeStamp]) \| rename(ContextTimeStamp, as=LastLookup) }, { select([ContextTimeStamp]) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) \| drop(@timestamp) }, { count(ComputerName, as=NumberOfHosts, distinct=true) } ], limit=max) \| sort(NumberOfHosts, order=descending, limit=20000) // Convert the time fields to human readable format \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([RemoteAddressIP4, NumberOfHosts, FirstLookup, LastLookup], limit=199)	`Table`
IP Connections by Host	Displays a table of IP connections for a given host. Hide Query Show Query logscale `/* * This query finds the IP Connections for a given host */ \| #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4=?IP \| match("fdr_aidmaster.csv",field="aid", column="aid", include=ComputerName, strict=true) \| ComputerName=?ComputerName \| groupby([ComputerName, RemoteAddressIP4], limit=max) \| top(ComputerName, sum=_count) \| rename(_sum, as="#connections")`	`Table`
IP Connections by Host	Displays a chart of IP connections for a given host. Hide Query Show Query logscale `/* * This query finds the IP Connections for a given host */ #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4=?IP \| match("fdr_aidmaster.csv",field="aid", column="aid", include=ComputerName, strict=true) \| ComputerName=?ComputerName \| groupBy([ComputerName, RemoteAddressIP4], limit=max) \| top(ComputerName, sum=_count)`	`Bar Chart`
Process and IP	Displays a table of target process IDs and IP addresses in descending order and limits results to the first 100 entries. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 \| ImageFileName=* \| aid=* \| join(max=10000, field=[TargetProcessId], key=ContextProcessId, include=[_count], mode=inner, query={ #event_simpleName=NetworkConnectIP4 \| groupBy([RemoteAddressIP4], function=[ { count(RemoteAddressIP4, distinct=true) \| _count > 0 }, { selectLast(ContextProcessId) } ], limit=max) }) \| groupby([ImageFileName], function=[sum(_count, as="#ips"), { tail(1) \| selectLast(aid) }], limit=max) \| "#ips" > 0 \| sort("#ips", order=descending, limit=100) \| table([ImageFileName, aid, "#ips"])	`Table`
IP Lookup Details (Specify IP to show data)	Displays a table of IP address details including computer ID, the first and last lookup, etc. then limits the results to the first 199 entries. Hide Query Show Query logscale \| test(?IP != "") \| #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4 = ?IP \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| groupBy([RemoteAddressIP4, ComputerName], function=[ { count(ContextTimeStamp, as="#lookups", distinct=true) }, { selectLast(ContextTimeStamp) \| rename(ContextTimeStamp, as=LastLookup) }, { select(ContextTimeStamp) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) } ], limit=max) \| sort(ComputerName, limit=20000) \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup*1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([RemoteAddressIP4, ComputerName, FirstLookup, LastLookup, "#lookups"], limit=199)	`Table`

Monitor Deployment

Widget	Description	Type
Active Sensors	Displays a list of active sensors on a world map. Hide Query Show Query logscale `#event_simpleName="AgentOnline" \| worldMap(ip=aip)`	`World Map`
Number of Hosts	Displays a chart of the number of hosts online in a 6 hour timespan. Hide Query Show Query logscale `"#event_simpleName"=AgentOnline \| timechart(span=6h,function=count(field=aid,distinct=true)) \| rename(_count, as="#hosts")`	`Time Chart`
Hosts by Platform	Displays a pie chart of hosts by platform. Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true), limit=max)`	`Pie Chart`
Hosts by Platform	Displays a table of hosts by platform. Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true, as="#hosts"))`	`Table`

Process Context Events

Widget	Description	Type
Process - Network Events	Displays a table of network events TCP, ICMP, UDP, and IP data. Hide Query Show Query logscale `test(?ProcessId != "") \| (#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| case { Protocol=6 \| eval(aProtocol="TCP"); Protocol=1 \| eval(aProtocol="ICMP"); Protocol=17 \| eval(aProtocol="UDP"); Protocol=58 \| eval(aProtocol="IPv6-ICMP");} \| table([@timestamp, aid, aProtocol, LocalAddressIP4, LocalAddressIP6, LocalPort, RemoteAddressIP4, RemoteAddressIP6, RemotePort])`	`Table`
Context Events by Type	Displays a pie chart of context events by type. Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId \| groupBy([aid, #event_simpleName])`	`Pie Chart`
Files Written	Displays a list of files that have been written. Hide Query Show Query logscale `test(?ProcessId != "") \| #event_simpleName=Written ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Original Processes	Displays a record of an original process from the command line, with an accompanying file name. Hide Query Show Query logscale `test(?FileName != "") \| #event_simpleName=ProcessRollup2 aid=?aid TargetProcessId = ?ProcessId \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w*)$/i \| FileName = ?FileName \| rename(field=ImageFileName, as=OriginalFileName) \| rename(field=CommandLine, as=OriginalCommandLine) \| groupBy([aid, TargetProcessId, OriginalFileName, OriginalCommandLine]) \| sort(_count, order=asc) \| rename(_count, as="#")`	`Table`
Files Deleted	Displays a list of files that have been deleted by process ID. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=FileDeleteInfo ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Destination IPs	Display a pie chart of destination IP addresses by type. Hide Query Show Query logscale `(#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| test(?ProcessId != "*") \| groupBy([RemoteAddressIP4, RemoteAddressIP6])`	`Pie Chart`
DNS Requests	Displays a table of DNS requests by domain name. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=DnsRequest ContextProcessId = ?ProcessId aid = ?aid \| groupBy([DomainName]) \| rename(_count, as="#requests")`	`Table`
All Context Events	Displays a list of all context events by ID. Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId aid = ?aid`	`Event List`
Image Hash Events	Displays a table of image hash events. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=ImageHash ContextProcessId = ?ProcessId aid = ?aid \| groupBy([ImageFileName]) \| rename(_count, as="#events")`	`Table`
Workflow Note	# Workflow Start by entering a filename. The aid is optional, but will constrain (and speed up) the search if you have it. If you find an interesting process copy the ProcessId and paste it in the parameter above to show the context events below.	`Note`

Threat Hunting

Widget	Description	Type
Check random ASEPs	Displays a list of any found ASEPs. Hide Query Show Query logscale `// Looking for random generated keys // CSIT-21052 - QakBot #event_simpleName = "AsepValueUpdate" \| RegObjectName = "*\Software\Microsoft\Windows\CurrentVersion\Run" \| RegStringValue =~ /[a-z0-9]{6,10}/ \| groupBy(field=[RegStringValue,aid], limit=max) \| _count < 3 \| "#" := rename(_count)`	`Table`
Top Country Destinations	Displays a table of top country destinations by IP address and country. Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| ipLocation(field=RemoteAddressIP4) \| top(RemoteAddressIP4.country, as="#")`	`Table`
Suspicious Leads	Displays a table of suspicious lead data. Hide Query Show Query logscale in(#event_simpleName, values=[ "DetectAnalysis", "FileDetectInfo", "HttpRequestDetect", "KillThreadStatus", "ModuleBlockedEventWithPatternId", "NetworkOutboundPortScanDetectInfo", "PackedExecutableWritten", "RansomwareCreateFile", "RansomwareFileAccessPattern", "RansomwareRenameFile", "RegGenericValueUpdate", "RegistryOperationBlocked", "RegistryOperationDetectInfo", "RemediationActionKillProcess", "RemediationActionQuarantineFile", "RemediationActionRegistryRemoval", "RemediationMonitorKillProcess", "RemediationMonitorQuarantineFile", "RemediationMonitorRegistryRemoval", "RemoteBruteForceDetectInfo", "ScriptControlBlocked", "ScriptControlDetectInfo", "SuspiciousCreateSymbolicLink", "SuspiciousPeFileWritten", "SuspiciousRegAsepUpdate", "SuspiciousRegAsepUpdateFromUnsignedModule", "SuspiciousRegAsepUpdateLacksContextSignature", "SuspiciousRegAsepUpdateLacksTargetSignature", "SuspiciousRegAsepUpdateToUnsignedTarget", "SuspiciousUserRemoteAPCAttempt", "TokenImpersonated", "ZerologonExploitAttempt", "CriticalFileModified" ]) \| groupBy(#event_simpleName, limit=max) \| "#" := rename(_count)	`Table`
High Entropy Domains	Displays a list of high entropy domains using Akamai and limits the results to the first 20 entries. Hide Query Show Query logscale `#event_simpleName="DnsRequest" \| entropy:=shannonEntropy(DomainName) \| not akamaihd \| GroupBy([DomainName, entropy], limit=max) \| "#" := rename(_count) \| sort(entropy, limit=20)`	`Table`
Open Ports	Displays a table of open ports for a given agent ID. Hide Query Show Query logscale /* * This query finds the open ports for a given agent ID (aid, * parameterized '?aid'). * This query will only give results if the ?aid parameter is specified. / \| test(?aid != "") \| #event_simpleName="ProcessRollup2" OR #event_simpleName=NetworkListenIP4 \| aid=?aid // We want to join the ContextProcessId of the network events with the // TargetProcessId of the process events, so we create a new field 'pid' // that we can group on. \| #event_simpleName match { "ProcessRollup2" => pid := TargetProcessId; "NetworkListenIP4" => pid := ContextProcessId; } \| groupBy("pid", function=[ // Extract the agentID and process path { #event_simpleName="ProcessRollup2" \| selectLast([aid, ImageFileName])}, // Extract up to 200 addresses and ports { #event_simpleName=NetworkListenIP4 \| table([LocalAddressIP4,LocalPort]) } ], limit=max) // Filter off the results that do not have a value for LocalAddressIP4, // LocalPort and ImageFileName fields. \| LocalAddressIP4=* AND LocalPort=* \| ImageFileName=* // Present the results. \| table([aid, ImageFileName,LocalAddressIP4,LocalPort])	`Table`
Top IP Destinations	Displays a table of top IP destinations. Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| top(RemoteAddressIP4, as="#")`	`Table`
Potential Script Obfuscation	Script content rated by Shanon entropy to look for randomness as a proxy for obfuscation attempts. Hide Query Show Query logscale `#event_simpleName="ScriptControl" \| ScriptEntropy:=shannonEntropy(ScriptContent) \| GroupBy([ScriptEntropy, ScriptContent], limit=max) \| "#" := rename(_count) \| sort(ScriptEntropy, limit=20)`	`Table`
Unoriginal Filename	Displays a list of unoriginal executable file names. Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND OriginalFilename=* \| regex("(?<FileName>.+(\.exe)+)", field=OriginalFilename) \| test(OriginalFilename != FileName) \| table([ImageFileName, OriginalFilename])`	`Event List`
Required	Please specify the aid parameter in order to see results for the 'Open Ports' widget.	`Note`

Enter search term