crowdstrike/fdr Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

crowdstrike/fdr Dashboards

00 - FDR Package Announcement - Please Read

Widget	Description	Type
FDR Package Migration	# Important Changes This package is being reduced to only include the parser. Please use the crowdstrike/fltr-core package instead. Instructions for configuring the crowdstrike/fltr-core package can be found here: https://github.com/CrowdStrike/logscale-community-content/wiki/FLTR-Setup-and-Configuration # Migrating Content If you've made modifications to the crowdstrike/fdr package contents and wish to keep them, they can be exported by going to Settings -> Create a Package -> Export Package in this repo.	`Note`

Detections by Instance

Widget	Description	Type
Detections by Tactic	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Detections by Type

Widget	Description	Type
Detections by Tactic	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Dev - Software Inventory

Widget	Description	Type
Product Versions	Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductVersion], as="count")`	`Pie Chart`
Product Names	Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductName], as="count")`	`Bar Chart`
Software Inventory	Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| groupBy([CompanyName, FileDescription, FileName, FileVersion, ProductName, ProductVersion], limit=max) \| rename(_count, as="count") \| sort([count,CompanyName, ProductName, FileVersion], order=desc)`	`Table`
Software Companies	Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| top([CompanyName], as="count")`	`Bar Chart`
Software Inventory Note	# FDR Requirements This dashboard runs on the secondary FDR data. FDR secondary data is not enabled by default, you may need to submit a ticket to CrowdStrike Support to enable the secondary data feed. You can check to see if your data includes secondary data by searching this data for: @path = fdrv2* To narrow down the data set use the CompanyName and then the ProductName drop-down parameters above.	`Note`

Domain Search

Widget	Description	Type
Domain Lookup Summary	Hide Query Show Query logscale /* * This query gives a summary of the domain(s) ('DomainName' * parameterized by '?DomainName') * It can also give a summary of all the hosts that a specific / #event_simpleName="DnsRequest" \| DomainName = ?DomainName \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| groupBy(DomainName, function=[ { selectLast([ContextTimeStamp, ComputerName]) \| rename(ContextTimeStamp, as=LastLookup) \| rename(ComputerName, as=LastLookupBy) }, { select([ContextTimeStamp, ComputerName]) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) \| rename(ComputerName, as=FirstLookupBy) \| drop(@timestamp) }, { count(ComputerName, as=NumberOfHosts, distinct=true) } ], limit=max) \| LastLookup := LastLookup 1000 \| FirstLookup := FirstLookup * 1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([DomainName, NumberOfHosts, FirstLookup, FirstLookupBy, LastLookup, LastLookupBy], limit=200, sortby=NumberOfHosts) \| rename(NumberOfHosts, as="#hosts")	`Table`
Process and Domain Details	Hide Query Show Query logscale /* * This query provices details of specific processes that resolve a * specific domain ('DomainName', parameterized by '?DomainName') and that are * run from a specific agent ID ('aid', parameterized '?aid') or ComputerName (?ComputerName). * This query will only return results if either ?DomainName and ?aid / ?ComputerName is specified. / #event_simpleName="ProcessRollup2" OR #event_simpleName="DnsRequest" \| test(?DomainName != "") \| aid=?aid \| case { test(?aid == "") \| test(?ComputerName == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) // We wish to join the ContextProcessId of the DnsRequest events to the // TargetProcessId of the ProcessRollup2 events, so we collect them both // in a field 'pid' that we can then group on. \| #event_simpleName match { "ProcessRollup2" => pid := TargetProcessId; "DnsRequest" => pid := ContextProcessId; } // Group the agent IDs, and for each group group by the 'pid' field. \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| groupBy("pid", function= [ // Extract the latests ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, and SHA256HashData fields. { #event_simpleName="ProcessRollup2" \| selectLast([aid, ComputerName, ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, SHA256HashData]) }, // Extract the DomainName for each 'pid'. { #event_simpleName="DnsRequest" AND DomainName=?DomainName \| groupBy(DomainName) \| drop(["_count"]) } ], limit=max) // Remove entries that have no domain name or process start time. \| DomainName = * AND ProcessStartTime = * \| ComputerName = ?ComputerName // Make the process start time human-readable. \| ProcessStartTime := ProcessStartTime*1000 \| ProcessStartTime := formatTime(field=ProcessStartTime, format="%Y/%m/%d %H:%M:%S") // Present the results. \| table([ProcessStartTime, pid, DomainName, ComputerName, aid, ImageFileName, MD5HashData, SHA256HashData], limit=200)	`Table`
Number of Hosts hitting the domain	Hide Query Show Query logscale `/** * This counts the number of distinct hosts ('ComputerName') that * resolved a specific domain ('DomainName', parametrized by '?DomainName'). * This query will only return results if ?DomainName is specified. / #event_simpleName=DnsRequest \| test(?DomainName != "") \| aid=?aid \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName=?ComputerName \| count(ComputerName, distinct=true)`	`Single Value`
Domain Lookups by Host	Hide Query Show Query logscale `/** * This lists the distinct hosts ('ComputerName') that resolve a specific * domain ('DomainName', parametrized by '?DomainName') and how many requests * they made. / #event_simpleName=DnsRequest \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| DomainName = ?DomainName \| groupBy([ComputerName, DomainName], limit=max) \| DomainName = \| top(ComputerName, sum=_count, as="# lookups")`	`Bar Chart`
Domain Lookups by Host (Table)	Hide Query Show Query logscale `/** * This lists the distinct hosts ('ComputerName') that resolve a specific * domain ('DomainName', parametrized by '?DomainName') and how many requests * they made. / #event_simpleName="DnsRequest" \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| DomainName=?DomainName \| groupBy([ComputerName, DomainName], limit=max) \| DomainName= \| top(ComputerName, sum=_count, as="#lookups")`	`Table`
Lookup Details	Shows all lookups for a given domain name/pattern Hide Query Show Query logscale \| #event_simpleName=DnsRequest \| test(?DomainName != "") \| DomainName = ?DomainName \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| ComputerName = ?ComputerName \| groupBy([DomainName, ComputerName], function=[ { count(ContextTimeStamp, as="#lookups", distinct=true) }, { selectLast(ContextTimeStamp) \| rename(ContextTimeStamp, as=LastLookup) }, { select(ContextTimeStamp) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) } ]) \| sort(ComputerName, limit=20000) \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup*1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([DomainName, "#lookups", ComputerName, FirstLookup, LastLookup], limit=199, sortby="#lookups")	`Table`
Workflow Note	# Process and Domain Details Provide Domain Name and ComputerName (or aid) to display the data.	`Note`
Workflow Note	# Domain Lookup and Process Details Provide Domain Name to display the data. You can filter results by aid or Computer Name.	`Note`
Workflow Note	# Domain Lookup Summary Displays top domains, enter Domain Name to narrow the search.	`Note`
Workflow Note	# Domain Lookups by Host Displays top Hosts hitting the Domain(s). Enter Domain Name to narrow the search.	`Note`

File Vantage

Widget	Description	Type
File Integrity Alerts by User	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| top(UserName, as="#alerts")`	`Bar Chart`
File Vantage Alerts	Hide Query Show Query logscale "#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| table([@timestamp,PolicyRuleSeverity, aid, UID, UserName, CommandLine, ImageFileName, ObjectChanged, ObjectOperation, ObjectName, ObjectNameNew])	`Table`
File Vantage Alerts by Criticality	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { PolicyRuleSeverity=1 \| Severity := "Low"; PolicyRuleSeverity=2 \| Severity := "Medium"; PolicyRuleSeverity=3 \| Severity := "High"; PolicyRuleSeverity=4 \| Severity := "Critical"; } \| groupBy(Severity)`	`Pie Chart`
File Integrity Alerts	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| timechart(span=1h, function=count()) \| rename(_count, as="#alerts")`	`Time Chart`
File Integrity Alerts by Operation	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| groupBy(ObjectOperation) \| rename(_count, as="#alerts")`	`Bar Chart`
File Vantage Alerts by Platform	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched \| groupBy(event_platform)`	`Pie Chart`
File Vantage Alerts by File Name	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w)$/ \| top(FileName, as="#alerts")`	`Pie Chart`
File Integrity Alerts by Object	Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| groupBy(ObjectChanged) \| rename(_count, as="#alerts")`	`Bar Chart`

Hash Search

Widget	Description	Type
File Execution Details (Specify FileName or SHA256)	Hide Query Show Query logscale `// This query will only return results if at least one of ?FileName or ?SHA256 is specified. case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| #event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ImageFileName, CommandLine], limit=20000)`	`Table`
File Execution by Host	Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written by Hosts	Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written Details (Specify ComputerName)	This widget only shows result if a ComputerName is specified) Hide Query Show Query logscale `#event_simpleName="FileWritten" AND SHA256HashData = ?SHA256 \| test(?ComputerName != "") \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName = ?ComputerName \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ComputerName, TargetFileName], limit=200)`	`Table`
Written on Distinct Hosts	Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName,distinct=true)`	`Single Value`
Execution Activity	Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Activity"))`	`Time Chart`
Execution History (Specify FileName or SHA256)	Hide Query Show Query logscale #event_simpleName=ProcessRollup2 AND SHA256HashData = ?SHA256 // This query will only return results if at least one of ?FileName or ?SHA256 is specified. \| case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| groupby([SHA256HashData, FileName], function=[ count(aid, as="#hosts", distinct=true), { selectLast([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=LastExecutionDateTime) \| rename(aid, as=LastExecutedOn) }, { head(1) \| select([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=FirstExecutionDateTime) \| rename(aid, as=FirstExecutedOn) } ], limit=max) \| LastExecutionDateTime := LastExecutionDateTime1000 \| FirstExecutionDateTime := FirstExecutionDateTime1000 \| LastExecutionDateTime := formatTime(field=LastExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| FirstExecutionDateTime := formatTime(field=FirstExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| drop(@timestamp) \| table([SHA256HashData, FileName, "#hosts", FirstExecutedOn, FirstExecutionDateTime, LastExecutedOn, LastExecutionDateTime], limit=199, sortby="#hosts")	`Table`
Number of Hosts Executing File	Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName, distinct=true)`	`Single Value`
Unique Host Executions	Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Hosts", field=aid, distinct=true))`	`Time Chart`
Workflow Note	# Workflow Start by entering a file name or a SHA256 to see results for 'Execution History', File Execution Details', and 'File Written Details'.	`Note`

Host Search

Widget	Description	Type
Services Started	Hide Query Show Query logscale `#event_simpleName=ServiceStarted AND event_platform=Win \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([@timestamp, UserName, ServiceDisplayName, CommandLine], limit=200)`	`Table`
Network Connection Destinations	Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| worldMap(ip=RemoteAddressIP4)`	`World Map`
Parent to Child Process	Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| sankey(source=ParentBaseFileName, target=ImageFileName)`	`Sankey`
Listening Ports	Hide Query Show Query logscale #event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4 \| aid=?aid \| test(?aid != "") // We essentially want to join the ContextProcessId of the network events // with the TargetProcessId of the ProcessEvents, so we create a new // field 'pid' on which we can do a groupby. \| #event_simpleName match { ProcessRollup2 => pid := TargetProcessId; NetworkListenIP4 => pid := ContextProcessId; } // Group by the agent ID and for each group, group by the 'pid' field. \| groupBy("aid", function=[ { groupBy("pid", function=[ // Extract the ImageFileName field. { #event_simpleName="ProcessRollup2" \| selectLast([ImageFileName]) }, // Extract up to 200 rows of the LocalAddressIP4 and LocalPort // fields. { #event_simpleName="NetworkListenIP4" \| table([LocalAddressIP4, LocalPort]) } ], limit=max) } ], limit=max) \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) // Filter off results that do not have the below fields. \| LocalAddressIP4= AND LocalPort=* AND ImageFileName=* // Present the results. \| table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)	`Table`
Top DNS Requests	Hide Query Show Query logscale `#event_simpleName=DnsRequest \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| top(DomainName) \| rename(_count, as="#requests")`	`Table`
Detections: Map Tactic Technique	Hide Query Show Query logscale `EventType=Event_ExternalApiEvent \| test(?aid != "*") \| AgentIdString = ?aid #cid = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
User Logons	Hide Query Show Query logscale #event_simpleName=UserLogon \| test(?aid != "") \| aid=?aid AND #cid = ?cid \| case { LogonType="2" \| Logon_Type:="Interactive"; LogonType="3" \| Logon_Type:="Network"; LogonType="4" \| Logon_Type:="Batch"; LogonType="5" \| Logon_Type:="Service"; LogonType="6" \| Logon_Type:="Proxy"; LogonType="7" \| Logon_Type:="Unlock"; LogonType="8" \| Logon_Type:="Network clear text"; LogonType="9" \| Logon_Type:="New Credentials"; LogonType="10" \| Logon_Type:="RDP"; LogonType="11" \| Logon_Type:="Cached Credentials"; LogonType="12" \| Logon_Type:="Auditing"; LogonType="13" \| Logon_Type:="Unlock Workstation";} \| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)	`Table`
Schedule Tasks	Hide Query Show Query logscale `#event_simpleName=ScheduledTaskRegistered \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])`	`Table`
Network Connections Count	Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| !regex("^(10\|172\.16\|192\.168)\.", field=RemoteAddressIP4) \| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4) \| top([RemoteAddressIP4, RemoteAddressIP4.country]) \| rename(_count, as="#connections")`	`Table`
Detections	Hide Query Show Query logscale `ExternalApiType=Event_DetectionSummaryEvent \| test(?aid != "*") \| AgentIdString = ?aid AND CustomerIdString = ?cid \| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)`	`Table`
Packed Executable Written	Hide Query Show Query logscale `#event_simpleName=PackedExecutableWritten \| test(?aid != "*") \| #cid = ?cid AND aid=?aid \| count()`	`Single Value`
Unique Executables Written	Hide Query Show Query logscale `#event_simpleName=PeFileWritten \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| count(SHA256HashData, distinct=true)`	`Single Value`
Processes	Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| table([@timestamp, FileName, CommandLine, ParentBaseFileName], limit=200)`	`Table`
Host Information	Hide Query Show Query logscale `#event_simpleName=AgentOnline \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| ipLocation(field=aip, as=aip) \| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max) \| drop(_count)`	`Table`
Workflow Note	#Workflow Add a non-wildcard value to the aid parameter for the widgets to display results.	`Note`

IP Search

Widget	Description	Type
IP Summary	Hide Query Show Query logscale #event_simpleName=NetworkConnectIP4 \| not cidr(RemoteAddressIP4, subnet=["192.168.0.0/16", "176.16.0.0/20", "10.0.0.0/24"]) \| aid =~ match(file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| groupBy(RemoteAddressIP4, function=[ { selectLast([ContextTimeStamp]) \| rename(ContextTimeStamp, as=LastLookup) }, { select([ContextTimeStamp]) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) \| drop(@timestamp) }, { count(ComputerName, as=NumberOfHosts, distinct=true) } ], limit=max) \| sort(NumberOfHosts, order=descending, limit=20000) // Convert the time fields to human readable format \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([RemoteAddressIP4, NumberOfHosts, FirstLookup, LastLookup], limit=199)	`Table`
IP Connections by Host	Hide Query Show Query logscale `/* * This query finds the IP Connections for a given host */ \| #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4=?IP \| match("fdr_aidmaster.csv",field="aid", column="aid", include=ComputerName, strict=true) \| ComputerName=?ComputerName \| groupby([ComputerName, RemoteAddressIP4], limit=max) \| top(ComputerName, sum=_count) \| rename(_sum, as="#connections")`	`Table`
IP Connections by Host	Hide Query Show Query logscale `/* * This query finds the IP Connections for a given host */ #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4=?IP \| match("fdr_aidmaster.csv",field="aid", column="aid", include=ComputerName, strict=true) \| ComputerName=?ComputerName \| groupBy([ComputerName, RemoteAddressIP4], limit=max) \| top(ComputerName, sum=_count)`	`Bar Chart`
Process and IP	Hide Query Show Query logscale #event_simpleName=ProcessRollup2 \| ImageFileName=* \| aid=* \| join(max=10000, field=[TargetProcessId], key=ContextProcessId, include=[_count], mode=inner, query={ #event_simpleName=NetworkConnectIP4 \| groupBy([RemoteAddressIP4], function=[ { count(RemoteAddressIP4, distinct=true) \| _count > 0 }, { selectLast(ContextProcessId) } ], limit=max) }) \| groupby([ImageFileName], function=[sum(_count, as="#ips"), { tail(1) \| selectLast(aid) }], limit=max) \| "#ips" > 0 \| sort("#ips", order=descending, limit=100) \| table([ImageFileName, aid, "#ips"])	`Table`
IP Lookup Details (Specify IP to show data)	Hide Query Show Query logscale \| test(?IP != "") \| #event_simpleName=NetworkConnectIP4 \| RemoteAddressIP4 = ?IP \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| groupBy([RemoteAddressIP4, ComputerName], function=[ { count(ContextTimeStamp, as="#lookups", distinct=true) }, { selectLast(ContextTimeStamp) \| rename(ContextTimeStamp, as=LastLookup) }, { select(ContextTimeStamp) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) } ], limit=max) \| sort(ComputerName, limit=20000) \| LastLookup := LastLookup1000 \| FirstLookup := FirstLookup*1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([RemoteAddressIP4, ComputerName, FirstLookup, LastLookup, "#lookups"], limit=199)	`Table`

Monitor Deployment

Widget	Description	Type
Active Sensors	Hide Query Show Query logscale `#event_simpleName="AgentOnline" \| worldMap(ip=aip)`	`World Map`
Number of Hosts	Hide Query Show Query logscale `"#event_simpleName"=AgentOnline \| timechart(span=6h,function=count(field=aid,distinct=true)) \| rename(_count, as="#hosts")`	`Time Chart`
Hosts by Platform	Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true), limit=max)`	`Pie Chart`
Hosts by Platform	Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true, as="#hosts"))`	`Table`

Process Context Events

Widget	Description	Type
Process - Network Events	Hide Query Show Query logscale `test(?ProcessId != "") \| (#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| case { Protocol=6 \| eval(aProtocol="TCP"); Protocol=1 \| eval(aProtocol="ICMP"); Protocol=17 \| eval(aProtocol="UDP"); Protocol=58 \| eval(aProtocol="IPv6-ICMP");} \| table([@timestamp, aid, aProtocol, LocalAddressIP4, LocalAddressIP6, LocalPort, RemoteAddressIP4, RemoteAddressIP6, RemotePort])`	`Table`
Context Events by Type	Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId \| groupBy([aid, #event_simpleName])`	`Pie Chart`
Files Written	Hide Query Show Query logscale `test(?ProcessId != "") \| #event_simpleName=Written ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Original Processes	Hide Query Show Query logscale `test(?FileName != "") \| #event_simpleName=ProcessRollup2 aid=?aid TargetProcessId = ?ProcessId \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w*)$/i \| FileName = ?FileName \| rename(field=ImageFileName, as=OriginalFileName) \| rename(field=CommandLine, as=OriginalCommandLine) \| groupBy([aid, TargetProcessId, OriginalFileName, OriginalCommandLine]) \| sort(_count, order=asc) \| rename(_count, as="#")`	`Table`
Files Deleted	Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=FileDeleteInfo ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Destination IPs	Hide Query Show Query logscale `(#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| test(?ProcessId != "*") \| groupBy([RemoteAddressIP4, RemoteAddressIP6])`	`Pie Chart`
DNS Requests	Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=DnsRequest ContextProcessId = ?ProcessId aid = ?aid \| groupBy([DomainName]) \| rename(_count, as="#requests")`	`Table`
All Context Events	Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId aid = ?aid`	`Event List`
Image Hash Events	Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=ImageHash ContextProcessId = ?ProcessId aid = ?aid \| groupBy([ImageFileName]) \| rename(_count, as="#events")`	`Table`
Workflow Note	# Workflow Start by entering a filename. The aid is optional, but will constrain (and speed up) the search if you have it. If you find an interesting process copy the ProcessId and paste it in the parameter above to show the context events below.	`Note`

Threat Hunting

Widget	Description	Type
Check random ASEPs	Hide Query Show Query logscale `// Looking for random generated keys // CSIT-21052 - QakBot #event_simpleName = "AsepValueUpdate" \| RegObjectName = "*\Software\Microsoft\Windows\CurrentVersion\Run" \| RegStringValue =~ /[a-z0-9]{6,10}/ \| groupBy(field=[RegStringValue,aid], limit=max) \| _count < 3 \| "#" := rename(_count)`	`Table`
Top Country Destinations	Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| ipLocation(field=RemoteAddressIP4) \| top(RemoteAddressIP4.country, as="#")`	`Table`
Suspicious Leads	Hide Query Show Query logscale in(#event_simpleName, values=[ "DetectAnalysis", "FileDetectInfo", "HttpRequestDetect", "KillThreadStatus", "ModuleBlockedEventWithPatternId", "NetworkOutboundPortScanDetectInfo", "PackedExecutableWritten", "RansomwareCreateFile", "RansomwareFileAccessPattern", "RansomwareRenameFile", "RegGenericValueUpdate", "RegistryOperationBlocked", "RegistryOperationDetectInfo", "RemediationActionKillProcess", "RemediationActionQuarantineFile", "RemediationActionRegistryRemoval", "RemediationMonitorKillProcess", "RemediationMonitorQuarantineFile", "RemediationMonitorRegistryRemoval", "RemoteBruteForceDetectInfo", "ScriptControlBlocked", "ScriptControlDetectInfo", "SuspiciousCreateSymbolicLink", "SuspiciousPeFileWritten", "SuspiciousRegAsepUpdate", "SuspiciousRegAsepUpdateFromUnsignedModule", "SuspiciousRegAsepUpdateLacksContextSignature", "SuspiciousRegAsepUpdateLacksTargetSignature", "SuspiciousRegAsepUpdateToUnsignedTarget", "SuspiciousUserRemoteAPCAttempt", "TokenImpersonated", "ZerologonExploitAttempt", "CriticalFileModified" ]) \| groupBy(#event_simpleName, limit=max) \| "#" := rename(_count)	`Table`
High Entropy Domains	Hide Query Show Query logscale `#event_simpleName="DnsRequest" \| entropy:=shannonEntropy(DomainName) \| not akamaihd \| GroupBy([DomainName, entropy], limit=max) \| "#" := rename(_count) \| sort(entropy, limit=20)`	`Table`
Open Ports	Hide Query Show Query logscale /* * This query finds the open ports for a given agent ID (aid, * parameterized '?aid'). * This query will only give results if the ?aid parameter is specified. / \| test(?aid != "") \| #event_simpleName="ProcessRollup2" OR #event_simpleName=NetworkListenIP4 \| aid=?aid // We want to join the ContextProcessId of the network events with the // TargetProcessId of the process events, so we create a new field 'pid' // that we can group on. \| #event_simpleName match { "ProcessRollup2" => pid := TargetProcessId; "NetworkListenIP4" => pid := ContextProcessId; } \| groupBy("pid", function=[ // Extract the agentID and process path { #event_simpleName="ProcessRollup2" \| selectLast([aid, ImageFileName])}, // Extract up to 200 addresses and ports { #event_simpleName=NetworkListenIP4 \| table([LocalAddressIP4,LocalPort]) } ], limit=max) // Filter off the results that do not have a value for LocalAddressIP4, // LocalPort and ImageFileName fields. \| LocalAddressIP4=* AND LocalPort=* \| ImageFileName=* // Present the results. \| table([aid, ImageFileName,LocalAddressIP4,LocalPort])	`Table`
Top IP Destinations	Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| top(RemoteAddressIP4, as="#")`	`Table`
Potential Script Obfuscation	Script content rated by Shanon entropy to look for randomness as a proxy for obfuscation attempts. Hide Query Show Query logscale `#event_simpleName="ScriptControl" \| ScriptEntropy:=shannonEntropy(ScriptContent) \| GroupBy([ScriptEntropy, ScriptContent], limit=max) \| "#" := rename(_count) \| sort(ScriptEntropy, limit=20)`	`Table`
Unoriginal Filename	Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND OriginalFilename=* \| regex("(?<FileName>.+(\.exe)+)", field=OriginalFilename) \| test(OriginalFilename != FileName) \| table([ImageFileName, OriginalFilename])`	`Event List`
Required	Please specify the aid parameter in order to see results for the 'Open Ports' widget.	`Note`

Enter search term