// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| groupBy(UserId, function=(top(OperationName, limit=20)), limit=10)
| sankey(source="UserId", target="OperationName", weight=count(OperationName, distinct=true))

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="Yes")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="No")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| groupBy([UserId, OperationName], function=count(OperationName), limit=max)
| _count > 2

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| top(OperationName, limit=5)

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| groupBy(OperationName, function=(top(ServiceName, limit=20)), limit=10)
| sankey(source="OperationName", target="ServiceName", weight=count(ServiceName, distinct=true))

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| top(ServiceName, limit=5)

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| top(UserId, limit=5)

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

// Grab additional values.
| join(
    { #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent UserActivityAuditEvent | OperationName=detection_update },
      field=DetectId, key=Attributes.detection_id, mode=left, include=["Attributes.new_state", "Attributes.assigned_to_uid"],
    limit=100000
  )

// Rename fields.
| AssignedTo:=rename(Attributes.assigned_to_uid)
| NewState:=rename(Attributes.new_state)

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country, AssignedTo, NewState], value="N/A", replaceEmpty=true)

// Display the output.
| table([TimeUTC, UserId, ServiceName, OperationName, UserIp, UserIp.city, UserIp.country, DetectId, AssignedTo, NewState], limit=1000)

// Search for audit events.
#event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent
| ExternalApiType=Event_UserActivityAuditEvent

| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true)
| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true)
| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true)

| case {
    test(?IncludeInternalUsers=="No")
      | UserId=/@/ ;
    test(?IncludeInternalUsers=="Yes")
      | wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ;
  }

| UserId:=lower(?UserId)

// Do an IP location on the field, otherwise set default values.
| ipLocation(UserIp)
| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A")

// Convert and format the timestamp.
| UTCTimestamp:=UTCTimestamp*1000
| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z)

// Display the output.
| timeChart(UserId, function=count(), limit=10)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(Tactic, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| timechart(span=1h, function=count())
| rename(_count, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=Technique, source=SeverityName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(SeverityName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(Technique, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(DetectDescription, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=ParentImageFileName, source=GrandparentImageFileName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=FileName, source=ParentImageFileName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=Tactic, source=Technique)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])

not "#event_simpleName" = *
| EventType = "Event_ExternalApiEvent"
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(ComputerName, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(UserName, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(Tactic, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| timechart(span=1h, function=count())
| rename(_count, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=Technique, source=SeverityName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(SeverityName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(Technique, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(DetectDescription, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=ParentImageFileName, source=GrandparentImageFileName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=FileName, source=ParentImageFileName)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| sankey(target=Tactic, source=Technique)

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])

not "#event_simpleName" = *
| EventType = "Event_ExternalApiEvent"
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(ComputerName, as="#events")

not "#event_simpleName" = *
| ExternalApiType = "Event_DetectionSummaryEvent"
| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid
| top(UserName, as="#events")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| count(AgentIdString, distinct=true, as="Total Endpoints")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| PatternDispositionDescription=/(?<preventStatus>^(Prevention|Detection))(\,|\/).*/i
| groupBy("preventStatus", limit=100)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| LocalIP=/(?<endpointSubnet>\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}/i
| endpointSubnet!=""
| top(endpointSubnet, limit=100)
| count:=rename(_count)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| UserName!="N/A"
| groupBy(UserName, function=[count(DetectId, distinct=true, as=count), sum(Severity, as=SeveritySum)], limit=max)
| sort(SeveritySum, order=desc, limit=100)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| wildcard(field=SeverityName, pattern=?SeverityName, ignoreCase=true)
| groupby(SeverityName, limit=max)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| DetectId=/\S+\:(?<aid>\S+)\:(?<detectID>\S+)$/i
| format("[Detection Link](%s)", field=FalconHostLink, as="Falcon UI Link")
| groupBy([aid, DetectId], function=([sum(Severity, as=SeveritySum), collect([ComputerName, detectID, "Falcon UI Link", SeverityName])]), limit=max)
| table([aid, ComputerName, detectID, SeverityName, SeveritySum, "Falcon UI Link"], limit=100, sortby=SeveritySum)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| MachineDomain!=""
| top(MachineDomain, limit=100)
| count:=rename(_count)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| count(DetectId, distinct=true, as="Total Detections")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| count(AgentIdString,  as="Total Behaviors")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| PatternDispositionDescription=/would\shave/i
| count(DetectId)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true)
| PatternDispositionDescription=/(?<preventStatus>^(Prevention|Detection))(\,|\/).*/i
| sankey(source="preventStatus", target="SeverityName", weight=count(DetectId, distinct=true))

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| top(UserName, as="#alerts")

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| case {
  ObjectType=1 | ObjectChanged:= "File";
  ObjectType=2 | ObjectChanged:= "Folder";
  ObjectType=3 | ObjectChanged:= "Value";
  ObjectType=4 | ObjectChanged:= "Key";}
| case {
  ObjectAccessOperationType = 1 | ObjectOperation:= "Create";
  ObjectAccessOperationType = 2 | ObjectOperation:= "Write";
  ObjectAccessOperationType = 3 | ObjectOperation:= "Delete";
  ObjectAccessOperationType = 4 | ObjectOperation:= "Set";
  ObjectAccessOperationType = 5 | ObjectOperation:= "Rename";}
| table([@timestamp,PolicyRuleSeverity, aid, UID, UserName, CommandLine, ImageFileName, ObjectChanged, ObjectOperation, ObjectName, ObjectNameNew])

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| case {
  PolicyRuleSeverity=1 | Severity := "Low";
  PolicyRuleSeverity=2 | Severity := "Medium";
  PolicyRuleSeverity=3 | Severity := "High";
  PolicyRuleSeverity=4 | Severity := "Critical";
}
| groupBy(Severity)

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| timechart(span=1h, function=count())
| rename(_count, as="#alerts")

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| case {
  ObjectAccessOperationType = 1 | ObjectOperation:= "Create";
  ObjectAccessOperationType = 2 | ObjectOperation:= "Write";
  ObjectAccessOperationType = 3 | ObjectOperation:= "Delete";
  ObjectAccessOperationType = 4 | ObjectOperation:= "Set";
  ObjectAccessOperationType = 5 | ObjectOperation:= "Rename";}
| groupBy(ObjectOperation)
| rename(_count, as="#alerts")

"#event_simpleName"=FileIntegrityMonitorRuleMatched
| groupBy(event_platform)

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| ImageFileName =  /(\/|\\)(?<FileName>\w*\.?\w*)$/
| top(FileName, as="#alerts")

"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform
| case {
  ObjectType=1 | ObjectChanged:= "File";
  ObjectType=2 | ObjectChanged:= "Folder";
  ObjectType=3 | ObjectChanged:= "Value";
  ObjectType=4 | ObjectChanged:= "Key";}
| groupBy(ObjectChanged)
| rename(_count, as="#alerts")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy([Tactic, @timestamp], function=count(AgentIdString, as="DetectionCount"), limit=max)
| bucket(field="Tactic", buckets=42, limit=50)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| top([ComputerName, Tactic], limit=25)
| rename("_count", as="Detection Count")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent | ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy(Tactic, function=count(AgentIdString, as="DetectionCount"), limit=max)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent | ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy(Technique, function=count(AgentIdString, as="DetectionCount"), limit=max)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy([Tactic, Technique, Severity], function=count(AgentIdString, as="Weight"), limit=max)
| Weight:=Weight*Severity
| drop(Severity)
| sankey(source="Tactic", target="Technique", weight=sum(Weight))

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| top([ComputerName, Technique], limit=25)
| rename("_count", as="Detection Count")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy([Tactic, Technique, Severity], function=count(AgentIdString, as="Weight"), limit=max)
| Weight:=Weight*Severity
| drop(Severity)

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| top([FileName, Tactic, Technique], limit=25)
| rename("_count", as="Detection Count")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| top([Tactic, Technique], limit=25)
| rename("_count", as="Detection Count")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
| Tactic!=/(^custom|machine\slearning)/i Tactic!="" Technique=*
| groupBy([Tactic, Technique], function=count(AgentIdString, as="Weight"), limit=max)
| Weight:=Weight*Severity
| drop(Severity)

#event_simpleName=PodInfo
| count(PodServiceAccountName, distinct=true)

#kind=Primary #event_simpleName!=*
| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent
| groupBy(detectionName, limit=max)

#kind=Primary #event_simpleName!=*
| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent
| groupBy(severity, limit=max)

#event_simpleName=PodInfo
| count(field=PodNamespace, distinct=true)

#event_simpleName=PodInfo
| join({#event_simpleName=OsVersionInfo}, field=aid, include=AgentVersion, limit=200000)
| groupBy(aid, function=selectLast([AgentVersion, PodName, PodNamespace, PodHostname]), limit=max)

#kind=Primary #event_simpleName!=*
| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent
| count(detectionName)

#event_simpleName=PodInfo
| worldMap(ip=aip, magnitude=count(aid))

#kind=Primary #event_simpleName!=*
| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent
| "Detection Type":=format("%-18s %s", field=[severity, detectionName])
| groupBy(resourceName, function=[collect(["Detection Type", clusterName], limit=1000), count(as="Total Events")], limit=max)
| sort("Total Events", limit=10000)

#event_simpleName=PodInfo
| join({#event_simpleName=OsVersionInfo}, field=aid, include=OSVersionString, limit=200000)
| groupBy(aid, function=selectLast(OSVersionString), limit=max)
| OSVersionString = /^Linux\s(?<hostName>\S+)\s(?<kernelVersion>\S+)\s/i
| kernelVersion=/(?<kernelBranch>\d+\.\d+)\./
| groupBy("kernelBranch", limit=max)

#event_simpleName=PodInfo
| count(aid, distinct=true)

#kind = "Secondary" SecondaryEventType = "appinfo"
| CompanyName = ?CompanyName | ProductName = ?ProductName
| top([ProductVersion], as="count")

#kind = "Secondary" SecondaryEventType = "appinfo"
| CompanyName = ?CompanyName | ProductName = ?ProductName
| top([ProductName], as="count")

#kind = "Secondary" SecondaryEventType = "appinfo"
| CompanyName = ?CompanyName | ProductName = ?ProductName
| groupBy([CompanyName, FileDescription, FileName, FileVersion, ProductName, ProductVersion], limit=max)
| rename(_count, as="count")
| sort([count,CompanyName, ProductName, FileVersion], order=desc)

#kind = "Secondary" SecondaryEventType = "appinfo"
| CompanyName = ?CompanyName
| top([CompanyName], as="count")

#event_simpleName=/^(OsVersionInfo|ConfigStateUpdate|SensorHeartbeat)$/
| event_platform=Lin
| groupBy([cid, aid], function=([selectLast([ConfigStateData, OSVersionString, SensorStateBitMap])]), limit=max)
| ConfigStateData match {
    /1400000000c4/ => isInUserMode:="1" ;
    *              => isInUserMode:="0" ;
  }
| SensorStateBitMap match {
    2 => isInRFM:="1" ;
    0 => isInRFM:="0" ;
  }
| case {
    isInUserMode=1 isInRFM=1 | Status:="User Mode" ;
    isInUserMode=0 isInRFM=0 | Status:="Kernel Mode" ;
    isInUserMode=0 isInRFM=1 | Status:="RFM" ;
    * 
  }
| groupBy("Status", function=(count(aid, as="Count")), limit=max)

#event_simpleName=PodInfo
| count(field=PodNamespace, distinct=true)

#event_simpleName=PodInfo
| join({#event_simpleName=OsVersionInfo}, field=aid, include=AgentVersion, limit=200000)
| groupBy(aid, function=selectLast([AgentVersion, PodName, PodNamespace, PodHostname]), limit=max)

#event_simpleName=UserLogon
| event_platform=Lin UID=0
| $"crowdstrike/fltr-core:zComputerName"()
| case {
    LogonType=2  | LogonType:="Interactive" ;
    LogonType=10 | LogonType:="SSH" ;
    * ;
  }
| groupBy([aid, ComputerName], function=([count(aid, as="Logon Count"), collect(LogonType, limit=1000)]), limit=max)

#event_simpleName=/^(OsVersionInfo|ConfigStateUpdate|SensorHeartbeat)$/
| event_platform=Lin
| groupBy([cid, aid], function=([selectLast([ConfigStateData, OSVersionString, SensorStateBitMap])]), limit=max)
| ConfigStateData match {
    /1400000000c4/ => isInUserMode:="1" ;
    *              => isInUserMode:="0" ;
  }
| SensorStateBitMap match {
    2 => isInRFM:="1" ;
    0 => isInRFM:="0" ;
  }
| isInRFM=1 AND isInUserMode=0
| count(aid, distinct=true)

#event_simpleName=UserLogon
| event_platform=Lin LogonType=10
| ipLocation(RemoteAddressIP4)
| Location:=format(format="%s, %s", field=[RemoteAddressIP4.country, RemoteAddressIP4.city])
| case {
    Location="null, null" | Location:="-" ;
    * ;
  }
| $"crowdstrike/fltr-core:zComputerName"()
| groupBy(["RemoteAddressIP4"], function=([count(aid, as="Connection Count"), collect([Location, ComputerName, LocalAddressIP4, aid], limit=1000)]), limit=10)
| "Destination SSH":=rename("RemoteAddressIP4")
| table([aid, ComputerName, Location, LocalAddressIP4, "Destination SSH", "Connection Count"], sortby="Connection Count", limit=1000)

#event_simpleName=PodInfo
| worldMap(ip=aip, magnitude=count(aid))

#event_simpleName=PodInfo
| join({#event_simpleName=OsVersionInfo}, field=aid, include=OSVersionString, limit=200000)
| groupBy(aid, function=selectLast(OSVersionString), limit=max)
| OSVersionString = /^Linux\s(?<hostName>\S+)\s(?<kernelVersion>\S+)\s/i
| kernelVersion=/(?<kernelBranch>\d+\.\d+)\./
| groupBy("kernelBranch", limit=max)

#event_simpleName=NetworkListenIP4
| event_platform=Lin
| $"crowdstrike/fltr-core:zComputerName"()
| groupBy([aid, ComputerName, FileName, LocalAddressIP4, LocalPort], limit=max)
| match(file="crowdstrike/fltr-core/service-names-port-numbers.csv", field=LocalPort, include=ServiceName, ignoreCase=true, strict=false)
| sort(field=LocalPort, order=asc, limit=10)
| drop(_count)

#event_simpleName=PodInfo
| count(aid, distinct=true)

#event_simpleName="AgentOnline"
| worldMap(ip=aip)

"#event_simpleName"=AgentOnline
| timechart(span=6h,function=count(field=aid,distinct=true))
| rename(_count, as="#hosts")

#kind=Secondary | SecondaryEventType=aidmaster
| GroupBy(event_platform, function=count(field=aid, distinct=true), limit=max)

#kind=Secondary | SecondaryEventType=aidmaster
| GroupBy(event_platform, function=count(field=aid, distinct=true, as="#hosts"))

#event_simpleName=ProcessRollup2
| event_platform=Win
| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i
| CommandLine=/\s+(?<netFlag>ACCOUNTS|COMPUTER|CONFIG|CONTINUE|FILE|GROUP|HELP|HELPMSG|LOCALGROUP|NAME|PAUSE|PRINT|SEND|SESSION|SHARE|START|STATISTICS|STOP|TIME|USE|USER|VIEW)\s+/i
| netFileName:=lower("netFileName")
| netFlag:=lower(netFlag)
| sankey(source="netFileName", target="netFlag", weight=count(aid))

#event_simpleName=ProcessRollup2
| event_platform=Win
| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i
| CommandLine=/\s+(?<netFlag>(GROUP|USER))\s+/i
| CommandLine=/\/domain/i
| $"crowdstrike/fltr-core:zComputerName"()
| $"crowdstrike/fltr-core:zUrlFalconPid"()
| $"crowdstrike/fltr-core:zUrlFalconAid"()
| ProcessStartTime:=ProcessStartTime*1000
| "Endpoint Time (UTC)":=formatTime("%Y-%m-%d %H:%M:%S", field=ProcessStartTime, locale=en_US, timezone=Z)
| table(["Endpoint Time (UTC)", aid, ComputerName, "Host Search", UserSid, "User Search", netFileName, netFlag, CommandLine, "Process Explorer", "Graph Explorer", "Spotlight", "RTR"], limit=1000)

#event_simpleName=ProcessRollup2
| event_platform=Win
| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i
| CommandLine=/\s+(?<netFlag>ACCOUNTS|COMPUTER|CONFIG|CONTINUE|FILE|GROUP|HELP|HELPMSG|LOCALGROUP|NAME|PAUSE|PRINT|SEND|SESSION|SHARE|START|STATISTICS|STOP|TIME|USE|USER|VIEW)\s+/i
| netFileName:=lower("netFileName")
| netFlag:=lower(netFlag)
| timeChart(netFlag, function=count(aid))

#event_simpleName=ProcessRollup2
| event_platform=Win
| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i
| CommandLine=/\s+(?<netFlag>(LOCALGROUP|USER))\s+/i
| CommandLine!=/\/domain/i
| $"crowdstrike/fltr-core:zComputerName"()
| $"crowdstrike/fltr-core:zUrlFalconPid"()
| $"crowdstrike/fltr-core:zUrlFalconAid"()
| ProcessStartTime:=ProcessStartTime*1000
| "Endpoint Time (UTC)":=formatTime("%Y-%m-%d %H:%M:%S", field=ProcessStartTime, locale=en_US, timezone=Z)
| table(["Endpoint Time (UTC)", aid, ComputerName, "Host Search", UserSid, "User Search", netFileName, netFlag, CommandLine, "Process Explorer", "Graph Explorer", "Spotlight", "RTR"], limit=1000)
| drop(["aid", UserSid])

#event_simpleName=ProcessRollup2
| event_platform=Win
| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i
| CommandLine=/\s+(?<netFlag>ACCOUNTS|COMPUTER|CONFIG|CONTINUE|FILE|GROUP|HELP|HELPMSG|LOCALGROUP|NAME|PAUSE|PRINT|SEND|SESSION|SHARE|START|STATISTICS|STOP|TIME|USE|USER|VIEW)\s+/i
| netFileName:=lower("netFileName")
| netFlag:=lower(netFlag)
| groupBy([netFileName, netFlag], limit=max)

#event_simpleName=UserLogon
| event_platform=Win
| UserSid="S-1-5-21-*"
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) 
| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true)
| passwordAge:=(now()-(PasswordLastSet*1000))/1000/60/60/24
| passwordAgeDays:=round("passwordAge")
| $"crowdstrike/fltr-core:zLogonTypeName"()
| passwordAgeDays:=avg("passwordAgeDays")
| round("passwordAgeDays")

#event_simpleName=UserLogon
| event_platform=Win
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) 
| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true)
| $"crowdstrike/fltr-core:zLogonTypeName"()
| timeChart(LogonTypeName, function=count(UserSid))

#event_simpleName=UserLogon
| event_platform=Win
| UserSid="S-1-5-21-*"
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)
| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true)
| passwordAge:=(now()-(PasswordLastSet*1000))/1000/60/60/24
| passwordAgeDays:=round("passwordAge")
| $"crowdstrike/fltr-core:zLogonTypeName"()
| case {
    UserIsAdmin="0" | UserIsAdmin:="No" ;
    UserIsAdmin="1" | UserIsAdmin:="Yes" ;
    * ;
  }
| case {
    RemoteAccount="0" | RemoteAccount:="No" ;
    RemoteAccount="1" | RemoteAccount:="Yes" ;
    * ;
  }
| LogonTime:=LogonTime*1000
| LogonTime:=formatTime("%Y-%m-%d %H:%M:%S", field=LogonTime, locale=en_US, timezone=Z)
| table([LogonTime, ClientComputerName, UserName, passwordAgeDays, UserSid, LogonTypeName, LogonDomain, LogonServer, RemoteAccount, UserIsAdmin], limit=1000)

#event_simpleName=UserLogon
| event_platform=Win
| UserSid="S-1-5-21-*"
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) 
| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true)
| passwordAge:=(now()-(PasswordLastSet*1000))/1000/60/60/24
| passwordAgeDays:=round("passwordAge")
| $"crowdstrike/fltr-core:zLogonTypeName"()
| passwordAgeDays>365
| count(UserSid, distinct=true)

#event_simpleName=UserLogon
| LogonType=10
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)
| RemoteAddressIP4=*
| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
| ipLocation(RemoteAddressIP4)
| worldMap(ip=RemoteAddressIP4, magnitude=count(aid))

#event_simpleName=UserLogon
| event_platform=Win UserSid=/^S\-1\-5\-21\-.*/
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) 
| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true)
| lowercase("UserName")
| groupby(UserSid, function=([count(UserName, distinct=true), collect(UserName, limit=1000)]), limit=max)
| _count>1
| count(UserSid)

#event_simpleName=UserLogon
| LogonType=2
| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) 
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)
| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
| ipLocation(aip)
| worldMap(ip=aip, magnitude=count(aid))

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=FirewallSetRule
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("App=(?<App>(.*?))\|", field=FirewallRule, strict=false)
| regex("Action=(?<Action>(.*?))\|", field=FirewallRule, strict=false)
| regex("Active=(?<Active>(.*?))\|", field=FirewallRule, strict=false)
| regex("Profile=(?<Profile>(.*?))\|", field=FirewallRule, strict=false)
| regex("Protocol=(?<Protocol>(.*?))\|", field=FirewallRule, strict=false)
| regex("Dir=(?<Dir>(.*?))\|", field=FirewallRule, strict=false)
| regex("LPort=(?<LPort>(.*?))\|", field=FirewallRule, strict=false)
| regex("RPort=(?<RPort>(.*?))\|", field=FirewallRule, strict=false)
| regex("Desc=(?<Description>(.*?))\|", field=FirewallRule, strict=false)
| regex("Name=(?<Name>(.*?))\|", field=FirewallRule, strict=false)
| regex("(?<FileName>[^\\\]+$)", field=App, strict=false)
| Protocol match {
    "1"  => Protocol:="ICMP" ;
    "6"  => Protocol:="TCP" ;
    "17" => Protocol:="UDP" ;
    "58" => Protocol:="IPv6-ICMP" ;
    * => * ;
  }
| groupBy([@timestamp, RpcClientProcessId, Name, Protocol, ComputerName, App, Direction, Profile, LPort, RPort, FileName, Direction], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

#event_simpleName=NetworkConnectIP4
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| worldMap(ip=RemoteAddressIP4)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=/^(ProcessRollup2|SyntheticProcessRollup2)$/ 
| ImageFileName=/\\powershell(_ise)?\.exe/i
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false)
| groupBy([@timestamp, ComputerName, UserSid, ParentProcessId, RawProcessId, TargetProcessId, CommandLine, aid], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=InstanceMetadata
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| kvParse(field=InstanceMetadata, separator=":")
| groupBy([aid, ComputerName, privateIp, accountId, instanceId, instanceType, imageId, availabilityZone], limit=1000)
| drop([_count])

#event_simpleName=ProcessRollup2
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| sankey(source=ParentBaseFileName, target=ImageFileName)

#cid = ?cid
| #event_simpleName=/^(ProcessRollup2|NetworkConnectIP4)$/
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| #event_simpleName match {
    ProcessRollup2    => pid:=TargetProcessId ;
    NetworkConnectIP4 => pid:=ContextProcessId ;
    * => * ;
  }
| groupBy([aid, pid], function=
    [
      // Extract the path of the process
      { #event_simpleName=ProcessRollup2 | selectLast([@timestamp, ImageFileName, CommandLine]) },
      // Extract the domain name
      { #event_simpleName=NetworkConnectIP4 | groupBy([RemoteAddressIP4, RemotePort, LocalPort], limit=max) | drop(_count) }
    ], limit=max)
| RemoteAddressIP4=*
| ImageFileName= /(\/|\\)(?<FileName>\w*\.?\w*)$/i
| groupBy([@timestamp, RemoteAddressIP4, LocalPort, RemotePort, pid, FileName, CommandLine], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=CommandHistory
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| replace("¶", with="\n", field=CommandHistory)
| table([@timestamp, ApplicationName, CommandCount, CommandHistory], limit=1000)
| sort(@timestamp, limit=1000)

#event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4
| aid=?aid
| test(?aid != "*")
// We essentially want to join the ContextProcessId of the network events
// with the TargetProcessId of the ProcessEvents, so we create a new
// field 'pid' on which we can do a groupby.
| #event_simpleName match {
  ProcessRollup2 => pid := TargetProcessId;
  NetworkListenIP4 => pid := ContextProcessId;
}
// Group by the agent ID and for each group, group by the 'pid' field.
| groupBy("aid", function=[
  { groupBy("pid", function=[
    // Extract the ImageFileName field.
    { #event_simpleName="ProcessRollup2" | selectLast([ImageFileName]) },
    // Extract up to 200 rows of the LocalAddressIP4 and LocalPort
    // fields.
    { #event_simpleName="NetworkListenIP4" | table([LocalAddressIP4, LocalPort]) }
  ], limit=max)
  }
], limit=max)
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true)
// Filter off results that do not have the below fields.
| LocalAddressIP4=* AND LocalPort=* AND ImageFileName=*
// Present the results.
      | table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=AsepValueUpdate
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(RegValueName, distinct=true)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=BrowserInjectedThread
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(TargetThreadId, distinct=true)

#event_simpleName=DnsRequest
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| top(DomainName)
| rename(_count, as="#requests")

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| $"crowdstrike/fltr-core:zUrlFalconAid"()
| head(1)
| rename(field="RTR", as="Real Time Response")
| replace("\[RTR\]", with="\[Real Time Response\]", field="Real Time Response")
| table(["Real Time Response", "User Search", "Zero Trust Assessment", "Spotlight", "Host Management", "Host Search"], limit=10)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=NewScriptWritten
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false)
| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, size], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2 
| ImageFileName=/reg.exe/i
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false)
| groupBy([@timestamp, UserSid, FileName, CommandLine, ParentBaseFileName], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=AsepKeyUpdate
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(RegObjectName, distinct=true)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #kind=Secondary
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| $"crowdstrike/fltr-core:zUrlFalconAid"()
| ipLocation(field=aip, as=aip)
| groupBy(aid, function=collect([ComputerName, RTR, aip, aip.city, aip.country, ProductType, Version, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, MachineDomain, AgentVersion, aid, #cid], limit=100), limit=1000)
| drop(_count)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=JavaInjectedThread
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(TargetThreadId, distinct=true)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=*FileWritten* 
| IsOnRemovableDisk=1
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false)
| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, Size], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

#event_simpleName=UserLogon
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| case { LogonType="2" | Logon_Type:="Interactive"; LogonType="3" | Logon_Type:="Network";
LogonType="4" | Logon_Type:="Batch"; LogonType="5" | Logon_Type:="Service";
LogonType="6" | Logon_Type:="Proxy"; LogonType="7" | Logon_Type:="Unlock";
LogonType="8" | Logon_Type:="Network clear text"; LogonType="9" | Logon_Type:="New Credentials";
LogonType="10" | Logon_Type:="RDP"; LogonType="11" | Logon_Type:="Cached Credentials";
LogonType="12" | Logon_Type:="Auditing"; LogonType="13" | Logon_Type:="Unlock Workstation";*}
| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)

#event_simpleName=ScheduledTaskRegistered
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])

#event_simpleName=NetworkConnectIP4
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| !regex("^(10|172\.16|192\.168)\.", field=RemoteAddressIP4)
| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4)
| top([RemoteAddressIP4, RemoteAddressIP4.country])
| rename(_count, as="#connections")

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=/^(NetworkConnectIP4|NetworkReceiveAcceptIP4|LocalIpAddressIP4)$/
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| LocalAddressIP4=*
| groupBy(PhysicalAddress, function=[collect([LocalAddressIP4, aip, InterfaceAlias], limit=100)], limit=max)

ExternalApiType=Event_DetectionSummaryEvent
| test(?aid != "*")
| AgentIdString = ?aid AND CustomerIdString = ?cid
| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)

#cid = ?cid
| #event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2
| CommandLine=* ImageFileName=*
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false)
| match(file="crowdstrike/fltr-core/recon_apps.csv", field=FileName, include=FileName, ignoreCase=true, strict=true)
| groupBy([@timestamp, UserSid, FileName, TargetProcessId, CommandLine, aid], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

#event_simpleName=PackedExecutableWritten
| test(?aid != "*")
| #cid = ?cid AND aid=?aid
| count()

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=/^(AgentOnline|FirmwareImageAnalyzed|FirmwareImageCheck)$/
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| groupBy([aid, ComputerName, SystemManufacturer, BiosReleaseDate, BiosVersion, SHA256HashData], limit=1000)
| drop([_count])

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=ServiceStarted
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false)
| groupBy([@timestamp, ComputerName, UserName, TargetProcessId, ServiceDisplayName, CommandLine, SHA256HashData, aid], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| (#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2)
| ImageFileName=/(\/|\\)(?<FileName>\w*\.?\w*)$/i
| rename(field=ImageFileName, as=OriginalFileName) 
| rename(field=CommandLine, as=OriginalCommandLine)
| tail(1000)
| $"crowdstrike/fltr-core:zUrlFalconPid"()
| groupBy([@timestamp, ComputerName, FileName, OriginalCommandLine, TargetProcessId, MD5HashData, ParentBaseFileName, ParentProcessId, aid], function=collect(["Process Explorer"]), limit=1000)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=InjectedThreadFromUnsignedModule
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(TargetThreadId, distinct=true)

#event_simpleName=PeFileWritten
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| count(SHA256HashData, distinct=true)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=/^(ExecutableDeleted|NewExecutableRenamed|NewExecutableWritten|PeFileWritten)$/
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false)
| tail(200)
| #event_simpleName match {
    "ExecutableDeleted"     => Action:="Deleted" ;
    "NewExecutableRenamed"  => Action:="Renamed" ;
    "NewExecutableWritten"  => Action:="Added" ;
    "PeFileWritten"         => Action:="Added" ;
  }
| tail(1000)
| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, Action], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| ExternalApiType=Event_DetectionSummaryEvent
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| format("[Detection Link](%s)", field=["FalconHostLink"], as="DetectionLink")
| groupBy([@timestamp, DetectId], function=[collect([DetectionLink, FileName, DetectName, Severity, SeverityName, ComputerName, UserName, MD5String, SHA256String], limit=100)], limit=1000)
| drop(DetectId)
| sort(@timestamp, limit=1000)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=DLLInjections
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| count(TargetThreadId, distinct=true)

wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| #event_simpleName=/^(RarFileWritten|SevenZipFileWritten|ZipFileWritten)$/
| $"crowdstrike/fltr-core:zComputerName"() 
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| tail(1000)
| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false)
| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, size], limit=1000)
| drop(_count)
| sort(@timestamp, limit=1000)

#event_simpleName=AgentOnline
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| ipLocation(field=aip, as=aip)
| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max)
| drop(_count)

#event_simpleName=ServiceStarted AND event_platform=Win
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| table([@timestamp, UserName, ServiceDisplayName, CommandLine], limit=200)

#event_simpleName=NetworkConnectIP4
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| worldMap(ip=RemoteAddressIP4)

#event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4
| aid=?aid
| test(?aid != "*")
// We essentially want to join the ContextProcessId of the network events
// with the TargetProcessId of the ProcessEvents, so we create a new
// field 'pid' on which we can do a groupby.
| #event_simpleName match {
  ProcessRollup2 => pid := TargetProcessId;
  NetworkListenIP4 => pid := ContextProcessId;
}
// Group by the agent ID and for each group, group by the 'pid' field.
| groupBy("aid", function=[
  { groupBy("pid", function=[
    // Extract the ImageFileName field.
    { #event_simpleName="ProcessRollup2" | selectLast([ImageFileName]) },
    // Extract up to 200 rows of the LocalAddressIP4 and LocalPort
    // fields.
    { #event_simpleName="NetworkListenIP4" | table([LocalAddressIP4, LocalPort]) }
  ], limit=max)
  }
], limit=max)
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true)
// Filter off results that do not have the below fields.
| LocalAddressIP4=* AND LocalPort=* AND ImageFileName=*
// Present the results.
      | table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)

#event_simpleName=DnsRequest
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| top(DomainName)
| rename(_count, as="#requests")

#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent Tactic!=/^custom/i Tactic!=""
| wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true)
| Tactic=* 
| Technique=*
| groupBy([Tactic, Technique], function=count(AgentIdString, as="Detection Count"), limit=max)

#event_simpleName=DnsRequest
| wildcard(field=#cid, pattern=?cid, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| ioc:lookup(DomainName, type=domain, confidenceThreshold=unverified)
| ioc[0].labels=/^(?<iocActor>Actor\/.*?)\,/
| top([DomainName, iocActor])
| rename(_count, as="Total Requests")

EventType=Event_ExternalApiEvent
| test(?aid != "*")
| AgentIdString = ?aid #cid = ?cid
| sankey(target=Tactic, source=Technique)

#event_simpleName=UserLogon
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| case { LogonType="2" | Logon_Type:="Interactive"; LogonType="3" | Logon_Type:="Network";
LogonType="4" | Logon_Type:="Batch"; LogonType="5" | Logon_Type:="Service";
LogonType="6" | Logon_Type:="Proxy"; LogonType="7" | Logon_Type:="Unlock";
LogonType="8" | Logon_Type:="Network clear text"; LogonType="9" | Logon_Type:="New Credentials";
LogonType="10" | Logon_Type:="RDP"; LogonType="11" | Logon_Type:="Cached Credentials";
LogonType="12" | Logon_Type:="Auditing"; LogonType="13" | Logon_Type:="Unlock Workstation";*}
| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)

#event_simpleName=ScheduledTaskRegistered
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])

#event_simpleName=NetworkConnectIP4
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| !regex("^(10|172\.16|192\.168)\.", field=RemoteAddressIP4)
| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4)
| top([RemoteAddressIP4, RemoteAddressIP4.country])
| rename(_count, as="#connections")

ExternalApiType=Event_DetectionSummaryEvent
| test(?aid != "*")
| AgentIdString = ?aid AND CustomerIdString = ?cid
| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)

#event_simpleName=PackedExecutableWritten
| test(?aid != "*")
| #cid = ?cid AND aid=?aid
| count()

#event_simpleName=PeFileWritten
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| count(SHA256HashData, distinct=true)

#event_simpleName=ProcessRollup2
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| table([@timestamp, FileName, CommandLine, ParentBaseFileName], limit=200)

#event_simpleName=AgentOnline
| test(?aid != "*")
| aid=?aid AND #cid = ?cid
| ipLocation(field=aip, as=aip)
| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max)
| drop(_count)

/*
 * This query gives a summary of the domain(s) ('DomainName'
 * parameterized by '?DomainName')
 * It can also give a summary of all the hosts that a specific
 */
#event_simpleName="DnsRequest"
| DomainName = ?DomainName
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false)
| groupBy(DomainName, function=[
    { selectLast([ContextTimeStamp, ComputerName]) | rename(ContextTimeStamp, as=LastLookup) | rename(ComputerName, as=LastLookupBy) },
    { select([ContextTimeStamp, ComputerName]) | head(1) | rename(ContextTimeStamp, as=FirstLookup) | rename(ComputerName, as=FirstLookupBy) | drop(@timestamp) },
    { count(ComputerName, as=NumberOfHosts, distinct=true) }
  ], limit=max)
| LastLookup := LastLookup * 1000
| FirstLookup := FirstLookup * 1000
| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S")
| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S")
| table([DomainName, NumberOfHosts, FirstLookup, FirstLookupBy, LastLookup, LastLookupBy], limit=200, sortby=NumberOfHosts)
| rename(NumberOfHosts, as="#hosts")

/*
 * This query provices details of specific processes that resolve a
 * specific domain ('DomainName', parameterized by '?DomainName') and that are
 * run from a specific agent ID ('aid', parameterized '?aid') or ComputerName (?ComputerName).
 * This query will only return results if either ?DomainName and ?aid / ?ComputerName is specified.
 */
#event_simpleName="ProcessRollup2" OR #event_simpleName="DnsRequest"
| test(?DomainName != "*")
| aid=?aid
| case {
    test(?aid == "*") | test(?ComputerName == "*") | runQuery:=false;
    * | runQuery:=true;
}
| test(runQuery == true)
| drop(runQuery)
// We wish to join the ContextProcessId of the DnsRequest events to the
// TargetProcessId of the ProcessRollup2 events, so we collect them both
// in a field 'pid' that we can then group on.
| #event_simpleName match {
  "ProcessRollup2" => pid := TargetProcessId;
  "DnsRequest" => pid := ContextProcessId;
}
// Group the agent IDs, and for each group group by the 'pid' field.
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName)
| groupBy("pid", function=
  [
    // Extract the latests ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, and SHA256HashData fields.
    { #event_simpleName="ProcessRollup2" | selectLast([aid, ComputerName, ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, SHA256HashData]) },
    // Extract the DomainName for each 'pid'.
    { #event_simpleName="DnsRequest" AND DomainName=?DomainName | groupBy(DomainName) | drop(["_count"]) }
  ], limit=max)
// Remove entries that have no domain name or process start time.
| DomainName = * AND ProcessStartTime = *
| ComputerName = ?ComputerName
// Make the process start time human-readable.
| ProcessStartTime := ProcessStartTime*1000
| ProcessStartTime := formatTime(field=ProcessStartTime, format="%Y/%m/%d %H:%M:%S")
// Present the results.
| table([ProcessStartTime, pid, DomainName, ComputerName, aid, ImageFileName, MD5HashData, SHA256HashData], limit=200)

/**
 * This counts the number of distinct hosts ('ComputerName') that
 * resolved a specific domain ('DomainName', parametrized by '?DomainName').
 * This query will only return results if ?DomainName is specified.
 */
#event_simpleName=DnsRequest
| test(?DomainName != "*")
| aid=?aid
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false)
| ComputerName=?ComputerName
| count(ComputerName, distinct=true)

/**
 * This lists the distinct hosts ('ComputerName') that resolve a specific
 * domain ('DomainName', parametrized by '?DomainName') and how many requests
 * they made.
 */
#event_simpleName=DnsRequest
| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true)
| DomainName = ?DomainName
| groupBy([ComputerName, DomainName], limit=max)
| DomainName = *
| top(ComputerName, sum=_count, as="# lookups")

#event_simpleName="DnsRequest"
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| wildcard(field=DomainName, pattern=?DomainName, ignoreCase=true)
| $"crowdstrike/fltr-core:zComputerName"()
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| timeChart(function=count())
| rename(_count, as="Total Requests")

#event_simpleName="DnsRequest"
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| wildcard(field=DomainName, pattern=?DomainName, ignoreCase=true)
| $"crowdstrike/fltr-core:zComputerName"()
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| timeChart(DomainName, limit=10)
| rename(_count, as="Total Requests")

// This query will only return results if at least one of ?FileName or ?SHA256 is specified.
case {
    test(?FileName == "*") | test(?SHA256 == "*") | runQuery:=false;
    * | runQuery:=true;
}
| test(runQuery == true)
| drop(runQuery)
| #event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| table([@timestamp, aid, ImageFileName, CommandLine], limit=20000)

#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true)
| top(field=ComputerName,limit=25)

#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256
| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true)
| top(field=ComputerName,limit=25)

#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256
| test(?ComputerName != "*")
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false)
| ComputerName = ?ComputerName
| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| table([@timestamp, aid, ComputerName, TargetFileName], limit=200)

#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false)
| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| count(field=ComputerName,distinct=true)

#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| timeChart(function=count(as="Activity"))

#event_simpleName=ProcessRollup2 AND SHA256HashData = ?SHA256
// This query will only return results if at least one of ?FileName or ?SHA256 is specified.
| case {
    test(?FileName == "*") | test(?SHA256 == "*") | runQuery:=false;
    * | runQuery:=true;
  }
| test(runQuery == true)
| drop(runQuery)
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| groupby([SHA256HashData, FileName], function=[
    count(aid, as="#hosts", distinct=true),
    { selectLast([ProcessStartTime, aid]) | rename(ProcessStartTime, as=LastExecutionDateTime) | rename(aid, as=LastExecutedOn) },
    { head(1) | select([ProcessStartTime, aid]) | rename(ProcessStartTime, as=FirstExecutionDateTime) | rename(aid, as=FirstExecutedOn) }
], limit=max)
| LastExecutionDateTime := LastExecutionDateTime*1000
| FirstExecutionDateTime := FirstExecutionDateTime*1000
| LastExecutionDateTime := formatTime(field=LastExecutionDateTime, format="%Y/%m/%d %H:%M:%S")
| FirstExecutionDateTime := formatTime(field=FirstExecutionDateTime, format="%Y/%m/%d %H:%M:%S")
| drop(@timestamp)
| table([SHA256HashData, FileName, "#hosts", FirstExecutedOn, FirstExecutionDateTime, LastExecutedOn, LastExecutionDateTime], limit=199, sortby="#hosts")

#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256
| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true)
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| count(field=ComputerName, distinct=true)

#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256
| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)")
| FileName = ?FileName
| timeChart(function=count(as="Hosts", field=aid, distinct=true))

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| ipLocation(RemoteAddressIP4)
| worldMap(lat=RemoteAddressIP4.lat, lon=RemoteAddressIP4.lon)

#event_simpleName=ProcessRollup2 OR (#event_simpleName=NetworkConnectIP4 RemoteAddressIP4=?RemoteAddressIP4)
| falconPID:=TargetProcessId
| falconPID:=ContextProcessId
| selfJoinFilter([aid, falconPID], where=[{#event_simpleName=ProcessRollup2}, {#event_simpleName=NetworkConnectIP4}], prefilter=true)
| regex("^.+(\\\|\/)(?<FileName>.+)$", field=ImageFileName, strict=false)
| groupBy([aid, falconPID], function=([min(ProcessStartTime, as=ProcessStartTime), count(#event_simpleName, distinct=true, as=eventCount), collect([ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4], limit=1000)]), limit=max)
| eventCount>1
| shortCommandLine:=format("%,.100s", field=CommandLine)
| $"crowdstrike/fltr-core:zComputerName"()
| ProcessStartTime:=ProcessStartTime*1000
| timestamp:=formatTime(format="%c", field=ProcessStartTime)
| table([timestamp, aid, ComputerName, ParentBaseFileName, FileName, RemoteAddressIP4, shortCommandLine], limit=1000)

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| groupBy([#event_simpleName], limit=max)
| rename(field="_count", as="Connection Count")
| table([#event_simpleName, "Connection Count"], limit=1000)

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| asn:=asn(RemoteAddressIP4)
| rdns:=rdns(RemoteAddressIP4)
| default(value="-", field=[asn.org, asn.asn, rdns])
| groupBy([RemoteAddressIP4, asn.org, asn.asn, rdns], limit=max)
| ipLocation(RemoteAddressIP4)
| rename(field="RemoteAddressIP4", as="IP")
| rename(field="asn.org", as="IP ASN Org.")
| rename(field="asn.asn", as="IP ASN")
| rename(field="rdns", as="Reverse DNS")
| rename(field="RemoteAddressIP4.city", as="GeoIP City")
| rename(field="RemoteAddressIP4.state", as="GeoIP State")
| rename(field="RemoteAddressIP4.country", as="GeoIP Country")
| rename(field="RemoteAddressIP4.lat", as="GeoIP Latitude")
| rename(field="RemoteAddressIP4.lon", as="GeoIP Longitude")
| rename(field="RemoteAddressIP4.lat", as="Event Types")
| drop([_count])
| select(["IP", "Reverse DNS", "IP ASN", "IP ASN Org.", "GeoIP Country", "GeoIP State", "GeoIP City", "GeoIP Latitude","GeoIP Longitude"])

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| top(aid, limit=10)
| $"crowdstrike/fltr-core:zComputerName"()
| "Connection Count":=rename(field="_count")

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| timeChart(RemoteAddressIP4, function=count(aid))

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| timeChart(#event_simpleName, function=count(aid))

#event_simpleName=/^(DCSyncAttempted|FirewallDeleteRuleIP4|FirewallRuleIP4Matched|FirewallSetRuleIP4|HttpRequest|NetworkCloseIP4|NetworkConnectIP4|NetworkConnectIP4Blocked|NetworkConnectIP4DetectInfo|NetworkListenIP4|NetworkReceiveAcceptIP4|ProcessExecOnRDPFile|ProcessExecOnSMBFile|PromiscuousBindIP4|RawBindIP4|RemediationActionKillIP4Connection|RemoteBruteForceDetectInfo|SmbServerShareOpenedEtw|TlsClientHello|UserLogoff|UserLogon|UserLogonFailed2|WmiCreateProcess)$/
| RemoteAddressIP4=?RemoteAddressIP4
| count(aid, as="Total Connections")

test(?ProcessId != "*")
| (#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid
| case {
Protocol=6 | eval(aProtocol="TCP");
Protocol=1 | eval(aProtocol="ICMP");
Protocol=17 | eval(aProtocol="UDP");
Protocol=58 | eval(aProtocol="IPv6-ICMP");*}
| table([@timestamp, aid, aProtocol, LocalAddressIP4, LocalAddressIP6, LocalPort, RemoteAddressIP4, RemoteAddressIP6, RemotePort])

test(?ProcessId != "*")
| ContextProcessId = ?ProcessId
| groupBy([aid, #event_simpleName])

test(?ProcessId != "*")
| #event_simpleName=*Written ContextProcessId = ?ProcessId aid = ?aid
| groupBy([#event_simpleName, TargetFileName])
| rename(_count, as="#")

test(?FileName != "*")
| #event_simpleName=ProcessRollup2 aid=?aid TargetProcessId = ?ProcessId
| ImageFileName =  /(\/|\\)(?<FileName>\w*\.?\w*)$/i
| FileName = ?FileName
| rename(field=ImageFileName, as=OriginalFileName) | rename(field=CommandLine, as=OriginalCommandLine)
| groupBy([aid, TargetProcessId, OriginalFileName, OriginalCommandLine])
| sort(_count, order=asc)
| rename(_count, as="#")

test(?ProcessId != "*")
| #event_simpleName=FileDeleteInfo ContextProcessId = ?ProcessId aid = ?aid
| groupBy([#event_simpleName, TargetFileName])
| rename(_count, as="#")

(#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid
| test(?ProcessId != "*")
| groupBy([RemoteAddressIP4, RemoteAddressIP6])

test(?ProcessId != "*")
| #event_simpleName=DnsRequest ContextProcessId = ?ProcessId aid = ?aid
| groupBy([DomainName])
| rename(_count, as="#requests")

test(?ProcessId != "*")
| ContextProcessId = ?ProcessId aid = ?aid

test(?ProcessId != "*")
| #event_simpleName=ImageHash ContextProcessId = ?ProcessId aid = ?aid
| groupBy([ImageFileName])
| rename(_count, as="#events")

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Find detection events.
| #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent Tactic!=/^custom/i

// Add the ComputerName if it's missing.
| $"crowdstrike/fltr-core:zComputerName"()

// Find the details.
| aid:=rename(AgentIdString)

// These fields must exist.
| Tactic=* AND Technique=*
| table([aid, ComputerName, DetectName, Tactic, Technique, Objective, CommandLine], limit=1000)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Find identity events.
| #event_simpleName=UserLogonFailed*

// Convert the results to a readable format.
| $"crowdstrike/fltr-core:zLogonTypeName"()

// Add the ComputerName.
| $"crowdstrike/fltr-core:zComputerName"()

// Group the results.
| groupBy(aid, function=[collect([ComputerName, LogonTypeName], limit=1000), count(as="Total Events")], limit=max)
| sort("Total Events", limit=1000)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Create a chart of the top 10 events over time.
| timeChart(#event_simpleName, limit=10)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Find scheduled tasks being registered.
| #event_simpleName=ScheduledTask*

// Add the ComputerName.
| $"crowdstrike/fltr-core:zComputerName"()

// Grab the output.
| table([aid, ComputerName, @timestamp, #event_simpleName, TaskName, TaskExecCommand], limit=1000)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// aid must exist.
| aid=*

// Add the ComputerName.
| $"crowdstrike/fltr-core:zComputerName"()

// Create a chart of the top associated hosts.
| groupBy(aid, function=[collect([ComputerName, #event_simpleName], limit=1000), count(as="Total Events")], limit=max)
| "Distinct Events":=rename(#event_simpleName)
| sort("Total Events", limit=1000)
| table([aid, ComputerName, "Distinct Events", "Total Events"], limit=1000)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Find identity events.
| #event_simpleName=UserLogon OR #event_simpleName=UserIdentity

// Only include interactive logon events.
| LogonType=/^(2|7|10)$/

// Convert the results to a readable format.
| $"crowdstrike/fltr-core:zLogonTypeName"()

// Add the ComputerName.
| $"crowdstrike/fltr-core:zComputerName"()

// Group the results.
| groupBy(aid, function=[collect([ComputerName, LogonTypeName], limit=1000), count(as="Total Events")], limit=max)
| sort("Total Events", limit=1000)

// Do a case-insensitive comparison.
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)

// Find events related to file writes.
| #event_simpleName=*FileWritten

// Add the ComputerName.
| $"crowdstrike/fltr-core:zComputerName"()

// Grab the relevant data.
| groupBy([aid, ComputerName, #event_simpleName, OriginalFilename], function=[collect(TargetFileName, limit=1000), count(as="Total Events")], limit=max)
| sort("Total Events", limit=1000)

#event_simpleName="NetworkConnectIP4"
| ipLocation(field=RemoteAddressIP4)
| top(RemoteAddressIP4.country, as="#")

in(#event_simpleName, values=[
	"DetectAnalysis",
	"FileDetectInfo",
	"HttpRequestDetect",
	"KillThreadStatus",
	"ModuleBlockedEventWithPatternId",
	"NetworkOutboundPortScanDetectInfo",
	"PackedExecutableWritten",
	"RansomwareCreateFile",
	"RansomwareFileAccessPattern",
	"RansomwareRenameFile",
	"RegGenericValueUpdate",
	"RegistryOperationBlocked",
	"RegistryOperationDetectInfo",
	"RemediationActionKillProcess",
	"RemediationActionQuarantineFile",
	"RemediationActionRegistryRemoval",
	"RemediationMonitorKillProcess",
	"RemediationMonitorQuarantineFile",
	"RemediationMonitorRegistryRemoval",
	"RemoteBruteForceDetectInfo",
	"ScriptControlBlocked",
	"ScriptControlDetectInfo",
	"SuspiciousCreateSymbolicLink",
	"SuspiciousPeFileWritten",
	"SuspiciousRegAsepUpdate",
	"SuspiciousRegAsepUpdateFromUnsignedModule",
	"SuspiciousRegAsepUpdateLacksContextSignature",
	"SuspiciousRegAsepUpdateLacksTargetSignature",
	"SuspiciousRegAsepUpdateToUnsignedTarget",
	"SuspiciousUserRemoteAPCAttempt",
	"TokenImpersonated",
	"ZerologonExploitAttempt",
	"CriticalFileModified"
])
| groupBy(#event_simpleName, limit=max)
| "#" := rename(_count)

#event_simpleName="DnsRequest"
| entropy:=shannonEntropy(DomainName)
| not akamaihd
| GroupBy([DomainName, entropy], limit=max)
| "#" := rename(_count)
| sort(entropy, limit=20)

#event_simpleName="NetworkConnectIP4"
| top(RemoteAddressIP4, as="#")

#event_simpleName="ScriptControl"
| ScriptEntropy:=shannonEntropy(ScriptContent)
| GroupBy([ScriptEntropy, ScriptContent], limit=max)
| "#" := rename(_count)
| sort(ScriptEntropy, limit=20)

wildcard(field=#event_simpleName, pattern=?event_simpleName, ignoreCase=true)

// Create buckets to get the count, then rename a field so we recognize @timestamp again.
| bucket(field=?GroupByValue, span=1d, limit=500)
| @timestamp:=_bucket

// Find the average number and calculate the standard deviation.
| bucket(field=?GroupByValue, span=1d, function=[sum(_count, as=observedRequests), window([stdDev(_count), avg(_count)], span=?RollingAverageDays)], limit=500)

// Remove irrelevant results.
| _stddev > 0 | _avg > 0
| regex(".+", field=?GroupByValue)

// Calculate the upper and lower limits.
| ulimit := _avg + (?AnomalyFactor * _stddev)

// Flag hosts that exceed the standard deviation by X.
| case {
    test(observedRequests > ulimit) | violation := 1;
    * | violation := 0;
  }

// Round the numbers for formatting.
| round(_avg) | round(ulimit)

// Ignore anything that's noise.
| violation > 0
| _stddev > 1
| _avg > 1
| test(observedRequests > ulimit)

// Add the date the spike occurred.
| Time := formatTime("%Y-%m-%d", field=_bucket, locale=en_US, timezone=Z)

| groupBy(?GroupByValue, function=[collect([Time, observedRequests, ulimit], limit=1000)], limit=max)
| Observed:=rename(observedRequests)
| UpperLimit:=rename(ulimit)