Common Report Queries
Netflow events that identify SSH activity in outbound traffic but exclude a specific IP address (e.g. 10.0.0.121)
FROM netflow WHERE destination_port=22 AND direction='OUTBOUND' AND source_address != 10.0.0.121
Netflow events that identify SSH activity in outbound traffic from a specific IP address (e.g. 10.0.0.121)
FROM netflow WHERE destination_port=22 AND direction='OUTBOUND' AND destination_address = 10.0.0.121
Netflow and Auth events involving a specific IP address (e.g. 10.0.0.121)
FROM netflow, auth @ip='10.0.0.121'
Windows events where a user was added to a security-enabled global group (e.g. domain admins)
FROM auth WHERE (target_user_name CONTAINS 'domain admins' AND win_event_id = '4728')
All events, regardless of alert type, that contain a specific user ID (e.g. admin)
@user CONTAINS 'admin'
All command line events across multiple alert types that contain the creation of a scheduled task
@command CONTAINS 'SCHTASK /Create'
Process events where the command line includes scheduled tasks
FROM process WHERE commandline CONTAINS 'schtasks'
Process events that include 'whoami' or another specific value (e.g. ATOMIC)
FROM process WHERE original_data CONTAINS 'whoami' OR original_data CONTAINS 'ATOMIC'
Generic events from a specified sensor (e.g. Zeek)
FROM generic WHERE sensor_type = 'zeek'
Generic events from the past 2 hours
FROM generic WHERE original_data CONTAINS 'secureworks' EARLIEST = -2h
Inspector and process events for specific data 'lsass' for the past 7 days
FROM inspector_process, process WHERE original_data CONTAINS 'lsass' EARLIEST = -7d
All DNS query events that do not contain specific data 'secureworks' and 'windows update'
FROM dnsquery WHERE query_name !CONTAINS 'secureworks' AND query_name !CONTAINS 'windowsupdate'
DNS query events matching '*.secureworks.com' sorted by the query_name in alphabetical order
FROM dnsquery where query_name MATCHES '*.secureworks.com' | sort query_name desc
Process events from Red Cloak™ Endpoint Agent and CrowdStrike
FROM process sensor_type IN ('ENDPOINT_REDCLOAK', 'ENDPOINT_CROWD_STRIKE')
Auth events where the source user name or target user name contains a specific value (e.g. admin)
FROM auth WHERE source_user_name CONTAINS 'admin' OR target_user_name CONTAINS 'admin'
Auth events where the source user name and target_user_name do not contain a specific value (e.g. admin)
FROM auth WHERE source_user_name !CONTAINS 'admin' AND target_user_name !CONTAINS 'admin'
Auth events where the source user name and target_user_name do not contain a specific value (e.g. admin), but the win_summary field has a value containing 'special'
FROM auth WHERE source_user_name !CONTAINS 'admin' AND target_user_name !CONTAINS 'admin' AND win_summary CONTAINS 'special'