| Top Blocked DLP Dictionaries | Hide Query Show Query #event.dataset = "zia.web"
| user.email =~ wildcard(?Username, ignoreCase=true)
| event.action = "blocked"
| Vendor.dlpdictionaries!="None"
| top(Vendor.dlpdictionaries)
| Pie Chart |
| Top Users by Volume | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| timechart(user.email, function=sum(Vendor.requestsize), limit=10)
| Time Chart |
| Top CrowdStrike IOC Hits by Threat Actor | Hide Query Show Query #event.dataset = "zia.web"
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ioc.detected=true
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| rename(iocActor, as="IOC.Actor")
| timechart(IOC.Actor, limit=10)
| Time Chart |
| Total Distinct Users | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| count(user.email, distinct=true)
| Single Value |
| CrowdStrike IOC Enrichment on Destination Domain | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=Vendor.url, strict=false)
| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true)
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(Continent, as="IOC.Continent")
| rename(ioc[0].indicator, as="IOC.Domain")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| rename(iocActor, as="IOC.Actor")
| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)
| Table |
| Top Allowed Domains | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=Vendor.url, strict=false)
| event.action="allowed"
| top([Vendor.domain])
| Table |
| Top Allowed Super Categories | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| timechart(Vendor.urlsupercategory, limit=10)
| Time Chart |
| Top Blocked Domains | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=Vendor.url, strict=false)
| event.action="blocked"
| top([Vendor.domain])
| Table |
| Top Vendor Threat Names | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| Vendor.threatname!="None"
| timechart(Vendor.threatname, limit=10)
| Time Chart |
| Top Application Names | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(Vendor.appname)
| Pie Chart |
| Top Blocked Super Categories | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| timechart(Vendor.urlsupercategory, limit=10)
| Time Chart |
| Top User Agents | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| top(Vendor.useragent, limit=100)
| Table |
| Top CrowdStrike IOCs by Confidence | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| top(IOC.Confidence)
| Pie Chart |
| Top Blocked DLP Engines | Hide Query Show Query #event.dataset = "zia.web"
| user.email =~ wildcard(?Username, ignoreCase=true)
| event.action = "blocked"
| Vendor.dlpengine != "None"
| top(Vendor.dlpengine)
| Pie Chart |
| Top Protocols | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(network.protocol)
| Pie Chart |
| CrowdStrike IOC Enrichment on Server IP | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ipLocation(ioc[0].indicator)
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(Continent, as="IOC.Continent")
| rename(ioc[0].indicator, as="IOC.IP")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| rename(iocActor, as="IOC.Actor")
| rename(ioc[0].indicator.country, as="IOC.Country")
| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)
| Table |
| Top Allowed Categories to Domains | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=Vendor.url, strict=false)
| event.action="allowed"
| top([Vendor.urlcategory, Vendor.domain], limit=20)
| sankey(source="Vendor.urlcategory", target="Vendor.domain")
| Sankey |
| Top Allowed Categories | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| top(Vendor.urlcategory)
| Table |
| Top CrowdStrike IOCs by Country | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ipLocation(ioc[0].indicator)
| rename(ioc[0].indicator.country, as="IOC.Country")
| top(IOC.Country)
| Pie Chart |
| Top Blocked Categories to Domains | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=Vendor.url, strict=false)
| top([Vendor.urlcategory, Vendor.domain])
| sankey(source="Vendor.urlcategory", target="Vendor.domain")
| Sankey |
| Top Application Classes | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(Vendor.appclass)
| Pie Chart |
| Top Threat Name | Hide Query Show Query #event.dataset = "zia.web"
| user.email =~ wildcard(?Username, ignoreCase=true)
| Vendor.threatname != "None"
| top(Vendor.threatname)
| Pie Chart |
| Top Blocked Categories | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| top(Vendor.urlcategory)
| Table |
| Request Methods | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| timechart(http.request.method)
| Time Chart |
| Actions Over Time by Volume | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| Vendor.requestsize!=0
| timechart(event.action, function=sum(Vendor.requestsize))
| Time Chart |
| Top Vendor Categories to Threat Names | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| Vendor.threatname!="None"
| top([Vendor.urlcategory, Vendor.threatname])
| sankey(source=Vendor.urlcategory, target=Vendor.threatname)
| Sankey |
| Total Distinct Locations | Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| count("Vendor.location", distinct=true)
| Single Value |
