The Basics - 01 - Primer
WidgetDescriptionType
Welcome to LogScale! The LogScale query language is extremely powerful. It's largely based on open standards and the language of mathematics, and balances simplicity and functionality to help users quickly find what they need, fast. In this tutorial, we'll use Falcon telemetry data to learn LogScale. The content and concepts we will cover, however, can be adapted and reused with any dataset that LogScale happens to be ingesting, e.g. first-party, third-party, etc. We will start with the very basics and build on the queries as we go. Hints on using the tutorial: - You can navigate between the dashboards by clicking on the word *Dashboards* in the upper-left corner. It is the link text right below the Falcon icon. Clicking on this link will take you back to the overview page showing all of the tutorial chapters. - You can display the source for every dashboard chapter. Simply click on the *edit* pencil icon near the upper-right corner, then click *Show queries* in the middle near the top of the page. Click *Discard changes* in the upper-right when you're done. Additional resources are available as references: - Official documentation: documentation on the query language. - LogScale Query Primer: a comprehensive guide on using the LogScale query language. - LogScale Query Building Blocks: this is a list of common questions we've seen in the field. - LogScale Function Addendum: these are examples of using a few of the common functions within LogScale. - FLTR Hunting and Investigations: threat hunting guide for Falcon data. Onward! Note
The Basics - 02 - Event Tags
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=ProcessRollup2 | table([#event_simpleName, #cid, @rawstring], limit=100)
Note
The Basics - 03 - Field Names Simplified
WidgetDescriptionType
Sample of Available Field Names Displays a table of available field names in descending order.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 04 - Comments
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Search for system User SID | UserSID=S-1-5-18 // Count total executions | count(aid, as=totalExecutions)
Note
The Basics - 05 - Timestamps
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Account for microseconds or remove decimal point in timestamp | myTimeStamp := myTimeStamp * 1000 // Convert ProcessStartTime to proper epoch format | ProcessStartTime := ProcessStartTime * 1000 // Convert epoch Time to Human Time | HumanTime := formatTime(%Y-%m-%d %H:%M:%S, field=ProcessStartTime, locale=en_US, timezone=Z) | table([aid, #event_simpleName, ProcessStartTime, HumanTime], limit=100)
Note
The Basics - 06 - Assignment
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Calculate Time Delta in milliseconds between current time and process start time | timeDelta := now() - (ProcessStartTime*1000) | table([ProcessStartTime, timeDelta], limit=100)
Note
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 07 - Regular Expressions
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=ProcessRollup2  | event_platform=Win  | ImageFileName=/\\(?<systemFolder>(System32|SysWow64))\\/i | groupBy([systemFolder, ImageFileName], limit=100)
Note
The Basics - 08 - Case Statements
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=UserLogon | case {     UserIsAdmin=1 | UserIsAdmin_Readable := True ;     UserIsAdmin=0 | UserIsAdmin_Readable := False ;     * ;   } | table([aid, UserName, UserSid, UserIsAdmin_Readable], limit=100)
Note
The Basics - 09 - Functions
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=UserLogon | $UserIsAdmin() | table([aid, UserName, UserSid, UserIsAdmin, UserIsAdmin_Readable], limit=100)
Note
The Basics - 10 - Formatting Query Output
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
// Get all user logon events for User SID S-1-5-21-1423588362-1685263640-2499213259-1001 #event_simpleName=UserLogon event_platform=Win UserSid=S-1-5-21-1423588362-1685263640-2499213259-1001 // Invoke saved query to enrich UserIsAdmin field if the query is saved locally.  //| $UserIsAdmin() // Invoke saved query to enrich UserIsAdmin field if the query is part of a package. $crowdstrike/fltr-tutorial:UserIsAdmin() // Use select to output in tabular format | select([@timestamp, aid, ClientComputerName, UserName, LogonType, UserIsAdmin_Readable])
Note
Query Output Options

There are generally 3 different ways to format the output:

  • table(): The table() function has lots of options for output, e.g. fields, limits, how the output is sorted, etc.

  • select(): You can think of select() as a stripped-down version of table(). It doesn't have a lot of parameters, but is extremely efficient when used in a query. Keep in mind that select() will limit the UI output to the latest 200 events. This only applies on the UI output of the query, and does not have the same limit when used in the middle of a query or during an export.

  • Event List: documentation. Event List isn't a function like table() or select(). Instead, it's the default output if you *don't* use table() or select() in your query. It has a lot of UI options for formatting the output, all the way down to the column-level. These options must be configured in the UI and can't be formatted directly in the query. Saving the query will also save the Event List options that you have specified.

Note
The Basics - 11 - groupBy
WidgetDescriptionType
Format Query Output with groupBy #2

Note in the search above, I've added the Event Search syntax I want to translate to my search and quickly commented it out. This is optional, but makes the translation of queries you already have a little easier.

logscale
| groupBy(SHA256HashData, function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=max)

Note the use of the square brackets after invoking function. This is because we want to use multiple aggregations in this groupBy. If you wanted to groupBy multiple fields, you would also use square brackets. As an example:

logscale
| groupBy([SHA256HashData, FileName], function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=max)

The same principle would be applied if we wanted to collect multiple fields.

logscale
| groupBy([SHA256HashData, FileName], function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect([CommandLine, UserSid])]), limit=max)

Note how:

logscale
collect(CommandLine)

Becomes:

logscale
collect([CommandLine, UserSid])

This takes a little practice, but once mastered the syntax is logical and very easy to interpret. To assist, LogScale will insert a closing parenthesis or closing square bracket when you open one.

Note
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/\\powershell\.exe/i | groupBy(SHA256HashData, function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=100)
Note
The Basics - 12 - Parameters
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
// Get all DNS Request events #event_simpleName=DnsRequest // Use regex to determine top level domain | DomainName=/\.?(?<topLevelDomain>\w+\.\w+$)/i // Create search box for top level domain | topLevelDomain=?topLevelDomain // Count number of domain variations by top level domain | groupBy(topLevelDomain, function=(count(DomainName, distinct=true, as=domainVariations)), limit=100)
Note
The Basics - 13 - Visualizations
WidgetDescriptionType
Output #2 Displays a flow chart of external event data (tactic, technique, agent ID).

Hide Query

Show Query

Sankey
Using Widget Visualizations #2

LogScale will only allow you to select compatible widgets. The desired visualization widget can also be specified in the query itself. As an example:

logscale
#event_simpleName!=* | EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent | sankey(source=Tactic, target=Technique, weight=count(AgentIdString))
The "Save" button can be leveraged to add any query or widget to a custom dashboard. 		Note
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 14 - Widget Formatting
WidgetDescriptionType
Output #2 Displays a list of external API events limits results to the first 100 entries.

Hide Query

Show Query

Pie Chart
Customizing Visualizations Using the Format Pane #2 By clicking the paintbrush in the middle left, we can change view, color, and series options for our chart. When you select a visualization, the format pane will automatically adjust to include all available options. Please pick better colors than I did. Note
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 15 - Match
WidgetDescriptionType
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
Query
logscale
#event_simpleName=UserLogon event_platform=Win | UserIsAdmin match {     1 => UserIsAdmin := True ;     0 => UserIsAdmin := False ;   } | select([@timestamp, UserName, UID, LogonType, UserIsAdmin])
Note
The Basics - 16 - Field Extraction
WidgetDescriptionType
Using Regular Expression Field Extraction #2

By default, when using regular expression extractions, they are strict. Meaning if the data being searched does not match, it will be omitted. A quick example would be:

logscale
#event_simpleName=ProcessRollup2 ImageFileName=/\\(?<fileName>\w{3}\.\w{3}$)/i
What this looks for is a file with a name that is three characters long and has an extension that is three characters long. If that condition is not matched, data is not returned: 		Note
Output #3 Displays a table of event output by four letter file name and limits results to the first 100 entries.

Hide Query

Show Query

Table
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Using Regular Expression Field Extraction #3

We can also use non-strict field extractions like so:

logscale
#event_simpleName=ProcessRollup2 ImageFileName=/\\(?<fileName>\w+\.\w+$)/i | regex((?<fourLetterFileName>^\w{4})\.exe, field=fileName, strict=false) | groupBy([fileName, fourLetterFileName], limit=100) | fourLetterFileName = *

The above looks for file names that contain four characters. If that does not match, that field is left blank.

Note
Output #2 Displays a table of output using image data.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 17 - Query Building 101
WidgetDescriptionType
Output #2 Displays a chart of event output and limits results to the first 100 results.

Hide Query

Show Query

Bar Chart
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Query Building 101 - Part 2

Note in the output above I've trimmed the command line string using format to only include the first 50 characters to make things more readable. That line is as follows:

logscale
| format(%,.50s, field=CommandLine, as=CommandLine)

And now we have a complete query! If we wanted to do some visualization, we could change our parameters a bit to look for outliers: Based on this data, the use of the flags enc and encodedCommand (with that spelling) are not common in my environment. A hunting query, scheduled alert, or Custom IOA could be beneficial.

Note
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note
The Basics - 19 - Helpful Query Examples
WidgetDescriptionType
Format a number to two decimal places

Calculate the average password age, in days, of Admin and Standard user accounts and then round those values to a whole number:

logscale
#event_simpleName=UserLogon | groupBy(UserIsAdmin, function=(avg(PasswordLastSet, as=avgPswdAge)), limit=100) | AvgPaswdAgeDays := now() - (avgPswdAge*1000) | AvgPaswdAgeDays := AvgPaswdAgeDays/1000/60/60/24 | format(%,.0f,field=[AvgPaswdAgeDays], as=PasswordLastSetDaysRounded)
Note
Place longitude and latitude on a world map example Displays an example of latitude and longitude on a world map.

Hide Query

Show Query

World Map
Set a default field value

Set a default field value. Similar to fillnull in Event Search. If the field GrandParentBaseFilename is blank, set it to the value "Unknown."

logscale
#event_simpleName=ProcessRollup2 | default(field=GrandParentBaseFileName, value=Unknown) | select([GrandParentBaseFileName, ParentBaseFileName, ImageFileName])
Note
Set a default field value example Displays an example of how to set a default field value.

Hide Query

Show Query

Table
Omit RFC-1819 addresses from search result

Omit internal IP addresses when keying in on remote IP addresses.

logscale
#event_simpleName=UserLogon  | !cidr(RemoteAddressIP4, subnet=[224.0.0.0/4, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/32, 169.254.0.0/16, 0.0.0.0/32])
Note
Place longitude and latitude on a world map Using a built-in geoip database and the function worldmap to map all SSH connections. Note
Concatenate two fields into a new, single field

Take the fields UID and UserSid and make them a new field named userIdentifier.

logscale
#event_simpleName=ProcessRollup2 | concat([UID, UserSid], as=userIdentifier) | select([@timestamp, aid, userIdentifier, ImageFileName])
Note
Output Displays a table of events limited to the first 100 entries.

Hide Query

Show Query

Table
Query field for multiple values within

Query a single field for multiple values using the in function.

logscale
#event_simpleName=UserLogon | in(LogonType, values=[2,10]) | select([@timestmap, UserSid, UserName, LogonType, ClientComputerName])
Note
Use test to do field evaluations

Similar to where in Event Search, check one field value against another. In this example, see if a username has completed more than 25 logons in a given search window:

logscale
#event_simpleName=UserLogon | groupBy(UserName, function=(count(aid, as=totalLogons)), limit=100) | test(totalLogons > 25)
Note
Format a number to two decimal places example An example query that shows how to create a table view of formatting a number to two decimal places.

Hide Query

Show Query

Table
Convert decimal values to hexadecimal values
logscale
#event_simpleName=UserLogonFailed2 event_platform=Win | SubStatus_hex := format(field=SubStatus, 0x%X) | select([@timestamp, aid, UserName, LogonType, SubStatus, SubStatus_hex])
Note
Query field for multiple values within example An example widget that queries fields for multiple logon values.

Hide Query

Show Query

Table
Use test to do field evaluations example Displays a list of user logins by username and limits to the first 100 entries.

Hide Query

Show Query

Table
Omit RFC-1819 addresses from search result example An example of a query that omits RFC-1819 addresses from a given search result.

Hide Query

Show Query

Table
Create concatenated, formatted fields

Create a process lineage one-liner that includes grandparent, parent, and target processes using format:

logscale
#event_simpleName=ProcessRollup2 | default(field=GrandParentBaseFileName, value=Unknown) | format(format=%s > %s > %s, field=[GrandParentBaseFileName,  ParentBaseFileName, FileName], as=processLineage) | select([aid, TargetProcessId, processLineage])
Note
Convert decimal values to hexadecimal values example An example query that displays a table of values converted from decimal to hexadecimal values and additional data such as username, logon type, and timestamp.

Hide Query

Show Query

Table
Use match to query a lookup table

Note that the specified lookup table must exist under "Files." In this instance, we'll check for common ports and create a new field with their associated protocol.

logscale
#event_simpleName=NetworkListenIP4 | match(file=crowdstrike/fltr-tutorial/service-names-port-numbers.csv, field=LocalPort, include=ServiceName, ignoreCase=true, strict=false) | select([@timestamp, aid, LocalPort, ServiceName, RemoteAddressIP4])
Note
Concatenate two fields into a new, single field example Displays a table of two fields that have been concantenated into a new single field.

Hide Query

Show Query

Table
Use match to query a lookup table example Displays an example of how to use the match() function to query a lookup table.

Hide Query

Show Query

Table
Create concatenated, formatted fields example Displays an example query for creating concatenated, formatted fields.

Hide Query

Show Query

Table
Event Tags

Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:

logscale
#event_simpleName=ProcessRollup2

The same concept applies to the field cid:

logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #.

Note