The Basics - 01 - Primer
WidgetDescriptionType
Welcome to LogScale! The LogScale query language is extremely powerful. It's largely based on open standards and the language of mathematics, and balances simplicity and functionality to help users quickly find what they need, fast. In this tutorial, we'll use Falcon telemetry data to learn LogScale. The content and concepts we will cover, however, can be adapted and reused with any dataset that LogScale happens to be ingesting, e.g. first-party, third-party, etc. We will start with the very basics and build on the queries as we go. Hints on using the tutorial: - You can navigate between the dashboards by clicking on the word *Dashboards* in the upper-left corner. It is the link text right below the Falcon icon. Clicking on this link will take you back to the overview page showing all of the tutorial chapters. - You can display the source for every dashboard chapter. Simply click on the *edit* pencil icon near the upper-right corner, then click *Show queries* in the middle near the top of the page. Click *Discard changes* in the upper-right when you're done. Additional resources are available as references: - Official documentation: documentation on the query language. - LogScale Query Primer: a comprehensive guide on using the LogScale query language. - LogScale Query Building Blocks: this is a list of common questions we've seen in the field. - LogScale Function Addendum: these are examples of using a few of the common functions within LogScale. - FLTR Hunting and Investigations: threat hunting guide for Falcon data. Onward! Note
The Basics - 02 - Event Tags
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=ProcessRollup2 | table([#event_simpleName, #cid, @rawstring], limit=100)
Note
The Basics - 03 - Field Names Simplified
WidgetDescriptionType
Sample of Available Field Names

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 04 - Comments
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Search for system User SID | UserSID=S-1-5-18 // Count total executions | count(aid, as=totalExecutions)
Note
The Basics - 05 - Timestamps
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Account for microseconds or remove decimal point in timestamp | myTimeStamp := myTimeStamp * 1000 // Convert ProcessStartTime to proper epoch format | ProcessStartTime := ProcessStartTime * 1000 // Convert epoch Time to Human Time | HumanTime := formatTime(%Y-%m-%d %H:%M:%S, field=ProcessStartTime, locale=en_US, timezone=Z) | table([aid, #event_simpleName, ProcessStartTime, HumanTime], limit=100)
Note
The Basics - 06 - Assignment
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Query
logscale
// Get all ProcessRollup2 events #event_simpleName=ProcessRollup2 // Calculate Time Delta in milliseconds between current time and process start time | timeDelta := now() - (ProcessStartTime*1000) | table([ProcessStartTime, timeDelta], limit=100)
Note
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 07 - Regular Expressions
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=ProcessRollup2  | event_platform=Win  | ImageFileName=/\\(?<systemFolder>(System32|SysWow64))\\/i | groupBy([systemFolder, ImageFileName], limit=100)
Note
The Basics - 08 - Case Statements
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=UserLogon | case {     UserIsAdmin=1 | UserIsAdmin_Readable := True ;     UserIsAdmin=0 | UserIsAdmin_Readable := False ;     * ;   } | table([aid, UserName, UserSid, UserIsAdmin_Readable], limit=100)
Note
The Basics - 09 - Functions
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=UserLogon | $UserIsAdmin() | table([aid, UserName, UserSid, UserIsAdmin, UserIsAdmin_Readable], limit=100)
Note
The Basics - 10 - Formatting Query Output
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
// Get all user logon events for User SID S-1-5-21-1423588362-1685263640-2499213259-1001 #event_simpleName=UserLogon event_platform=Win UserSid=S-1-5-21-1423588362-1685263640-2499213259-1001 // Invoke saved query to enrich UserIsAdmin field if the query is saved locally.  //| $UserIsAdmin() // Invoke saved query to enrich UserIsAdmin field if the query is part of a package. $crowdstrike/fltr-tutorial:UserIsAdmin() // Use select to output in tabular format | select([@timestamp, aid, ClientComputerName, UserName, LogonType, UserIsAdmin_Readable])
Note
Query Output Options There are generally 3 different ways to format the output: - table(): documentation. The table() function has lots of options for output, e.g. fields, limits, how the output is sorted, etc. - select(): documentation. You can think of select() as a stripped-down version of table(). It doesn't have a lot of parameters, but is extremely efficient when used in a query. Keep in mind that select() will limit the UI output to the latest 200 events. This only applies on the UI output of the query, and does not have the same limit when used in the middle of a query or during an export. - Event List: documentation. Event List isn't a function like table() or select(). Instead, it's the default output if you *don't* use table() or select() in your query. It has a lot of UI options for formatting the output, all the way down to the column-level. These options must be configured in the UI and can't be formatted directly in the query. Saving the query will also save the Event List options that you have specified. Note
The Basics - 11 - groupBy
WidgetDescriptionType
Format Query Output with groupBy #2 Note in the search above, I've added the Event Search syntax I want to translate to my search and quickly commented it out. This is optional, but makes the translation of queries you already have a little easier.
logscale
| groupBy(SHA256HashData, function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=max)
Note the use of the square brackets after invoking function. This is because we want to use multiple aggregations in this groupBy. If you wanted to groupBy multiple fields, you would also use square brackets. As an example:
logscale
| groupBy([SHA256HashData, FileName], function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=max)
The same principle would be applied if we wanted to collect multiple fields.
logscale
| groupBy([SHA256HashData, FileName], function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect([CommandLine, UserSid])]), limit=max)
Note how:
logscale
collect(CommandLine)
Becomes:
logscale
collect([CommandLine, UserSid])
This takes a little practice, but once mastered the syntax is logical and very easy to interpret. To assist, LogScale will insert a closing parenthesis or closing square bracket when you open one. 		Note
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/\\powershell\.exe/i | groupBy(SHA256HashData, function=([count(aid, distinct=true, as=uniqueEndpoints), count(aid, as=totalExecutions), collect(CommandLine)]), limit=100)
Note
The Basics - 12 - Parameters
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
// Get all DNS Request events #event_simpleName=DnsRequest // Use regex to determine top level domain | DomainName=/\.?(?<topLevelDomain>\w+\.\w+$)/i // Create search box for top level domain | topLevelDomain=?topLevelDomain // Count number of domain variations by top level domain | groupBy(topLevelDomain, function=(count(DomainName, distinct=true, as=domainVariations)), limit=100)
Note
The Basics - 13 - Visualizations
WidgetDescriptionType
Output #2

Hide Query

Show Query

Sankey
Using Widget Visualizations #2 LogScale will only allow you to select compatible widgets. The desired visualization widget can also be specified in the query itself. As an example:
logscale
#event_simpleName!=* | EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent | sankey(source=Tactic, target=Technique, weight=count(AgentIdString))
The "Save" button can be leveraged to add any query or widget to a custom dashboard. 		Note
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 14 - Widget Formatting
WidgetDescriptionType
Output #2

Hide Query

Show Query

Pie Chart
Customizing Visualizations Using the Format Pane #2 By clicking the paintbrush in the middle left, we can change view, color, and series options for our chart. When you select a visualization, the format pane will automatically adjust to include all available options. Please pick better colors than I did. Note
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 15 - Match
WidgetDescriptionType
Output

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
Query
logscale
#event_simpleName=UserLogon event_platform=Win | UserIsAdmin match {     1 => UserIsAdmin := True ;     0 => UserIsAdmin := False ;   } | select([@timestamp, UserName, UID, LogonType, UserIsAdmin])
Note
The Basics - 16 - Field Extraction
WidgetDescriptionType
Using Regular Expression Field Extraction #2 By default, when using regular expression extractions, they are strict. Meaning if the data being searched does not match, it will be omitted. A quick example would be:
logscale
#event_simpleName=ProcessRollup2 ImageFileName=/\\(?<fileName>\w{3}\.\w{3}$)/i
What this looks for is a file with a name that is three characters long and has an extension that is three characters long. If that condition is not matched, data is not returned: 		Note
Output #3

Hide Query

Show Query

Table
Output

Hide Query

Show Query

Table
Using Regular Expression Field Extraction #3 We can also use non-strict field extractions like so:
logscale
#event_simpleName=ProcessRollup2 ImageFileName=/\\(?<fileName>\w+\.\w+$)/i | regex((?<fourLetterFileName>^\w{4})\.exe, field=fileName, strict=false) | groupBy([fileName, fourLetterFileName], limit=100) | fourLetterFileName = *
The above looks for file names that contain four characters. If that does not match, that field is left blank. 		Note
Output #2

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 17 - Query Building 101
WidgetDescriptionType
Output #2

Hide Query

Show Query

Bar Chart
Output

Hide Query

Show Query

Table
Query Building 101 - Part 2 Note in the output above I've trimmed the command line string using format to only include the first 50 characters to make things more readable. That line is as follows:
logscale
| format(%,.50s, field=CommandLine, as=CommandLine)
And now we have a complete query! If we wanted to do some visualization, we could change our parameters a bit to look for outliers: Based on this data, the use of the flags enc and encodedCommand (with that spelling) are not common in my environment. A hunting query, scheduled alert, or Custom IOA could be beneficial. 		Note
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note
The Basics - 19 - Helpful Query Examples
WidgetDescriptionType
Format a number to two decimal places Calculate the average password age, in days, of Admin and Standard user accounts and then round those values to a whole number:
logscale
#event_simpleName=UserLogon | groupBy(UserIsAdmin, function=(avg(PasswordLastSet, as=avgPswdAge)), limit=100) | AvgPaswdAgeDays := now() - (avgPswdAge*1000) | AvgPaswdAgeDays := AvgPaswdAgeDays/1000/60/60/24 | format(%,.0f,field=[AvgPaswdAgeDays], as=PasswordLastSetDaysRounded)
Note
Place longitude and latitude on a world map example

Hide Query

Show Query

World Map
Set a default field value Set a default field value. Similar to fillnull in Event Search. If the field GrandParentBaseFilename is blank, set it to the value "Unknown."
logscale
#event_simpleName=ProcessRollup2 | default(field=GrandParentBaseFileName, value=Unknown) | select([GrandParentBaseFileName, ParentBaseFileName, ImageFileName])
Note
Set a default field value example

Hide Query

Show Query

Table
Omit RFC-1819 addresses from search result Omit internal IP addresses when keying in on remote IP addresses.
logscale
#event_simpleName=UserLogon  | !cidr(RemoteAddressIP4, subnet=[224.0.0.0/4, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/32, 169.254.0.0/16, 0.0.0.0/32])
Note
Place longitude and latitude on a world map Using a built-in geoip database and the function worldmap to map all SSH connections.
logscale
#event_simpleName=UserLogon event_platform=Lin LogonType=10 | !cidr(RemoteAddressIP4, subnet=[224.0.0.0/4, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/32, 169.254.0.0/16, 0.0.0.0/32]) | ipLocation(RemoteAddressIP4) | worldMap(lat=RemoteAddressIP4.lat, lon=RemoteAddressIP4.lon, magnitude=count(RemoteAddressIP4))
Note
Concatenate two fields into a new, single field Take the fields UID and UserSid and make them a new field named userIdentifier.
logscale
#event_simpleName=ProcessRollup2 | concat([UID, UserSid], as=userIdentifier) | select([@timestamp, aid, userIdentifier, ImageFileName])
Note
Output

Hide Query

Show Query

Table
Query field for multiple values within Query a single field for multiple values using the in function.
logscale
#event_simpleName=UserLogon | in(LogonType, values=[2,10]) | select([@timestmap, UserSid, UserName, LogonType, ClientComputerName])
Note
Use test to do field evaluations Similar to where in Event Search, check one field value against another. In this example, see if a username has completed more than 25 logons in a given search window:
logscale
#event_simpleName=UserLogon | groupBy(UserName, function=(count(aid, as=totalLogons)), limit=100) | test(totalLogons > 25)
Note
Format a number to two decimal places example

Hide Query

Show Query

Table
Convert decimal values to hexadecimal values
logscale
#event_simpleName=UserLogonFailed2 event_platform=Win | SubStatus_hex := format(field=SubStatus, 0x%X) | select([@timestamp, aid, UserName, LogonType, SubStatus, SubStatus_hex])
Note
Query field for multiple values within example

Hide Query

Show Query

Table
Use test to do field evaluations example

Hide Query

Show Query

Table
Omit RFC-1819 addresses from search result example

Hide Query

Show Query

Table
Create concatenated, formatted fields Create a process lineage one-liner that includes grandparent, parent, and target processes using format:
logscale
#event_simpleName=ProcessRollup2 | default(field=GrandParentBaseFileName, value=Unknown) | format(format=%s > %s > %s, field=[GrandParentBaseFileName,  ParentBaseFileName, FileName], as=processLineage) | select([aid, TargetProcessId, processLineage])
Note
Convert decimal values to hexadecimal values example

Hide Query

Show Query

Table
Use match to query a lookup table Note that the specified lookup table must exist under "Files." In this instance, we'll check for common ports and create a new field with their associated protocol.
logscale
#event_simpleName=NetworkListenIP4 | match(file=crowdstrike/fltr-tutorial/service-names-port-numbers.csv, field=LocalPort, include=ServiceName, ignoreCase=true, strict=false) | select([@timestamp, aid, LocalPort, ServiceName, RemoteAddressIP4])
Note
Concatenate two fields into a new, single field example

Hide Query

Show Query

Table
Use match to query a lookup table example

Hide Query

Show Query

Table
Create concatenated, formatted fields example

Hide Query

Show Query

Table
Event Tags Falcon LogScale has the ability to apply tags to events. In doing so, it allows LogScale to quickly and efficiently include or exclude large collections of events as you search. The application of tags to telemetry is all done for you transparently when dealing with Falcon data. The reason we're mentioning it is: one very important field, event_simpleName, is tagged in LogScale. Because of this, when you specify an event_simpleName value in your LogScale syntax, you need to put a # (hash or pound) in front of that field. That's it. We'll start the query like this in LogScale:
logscale
#event_simpleName=ProcessRollup2
The same concept applies to the field cid:
logscale
#event_simpleName=ProcessRollup2 #cid=123456789012345678901234
If you forget, or want to know what other events are tagged, you can just look in the LogScale sidebar for anything starting with #. 		Note